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Abstract 

Formal  analysis  of  security  protocols  is  largely  based  on  a  set  of  assumptions  commonly  referred  to  as 
the  Dolev-Yao  model.  Two  formalisms  that  state  the  basic  assumptions  of  this  model  are  related  here: 
strand  spaces  and  multiset  rewriting  with  existential  quantification.  Strand  spaces  provide  a  simple  and 
economical  approach  to  analysis  of  completed  protocol  runs  by  emphasizing  causal  interactions  among 
protocol  participants.  The  multiset  rewriting  formalism  provides  a  very  precise  way  of  specifying  finite- 
length  protocols  with  unboundedly  many  instances  of  each  protocol  role,  such  as  client,  server,  initiator,  or 
responder.  A  number  of  modifications  to  each  system  are  required  to  produce  a  meaningful  comparison.  In 
particular,  we  extend  the  strand  formalism  with  a  way  of  incrementally  growing  bundles  in  order  to  emulate 
an  execution  of  a  protocol  with  parametric  strands.  The  correspondence  between  the  modified  formalisms 
directly  relates  the  intruder  theory  from  the  multiset  rewriting  formalism  to  the  penetrator  strands.  The 
relationship  we  illustrate  here  between  multiset  rewriting  specifications  and  strand  spaces  thus  suggests 
refinements  to  both  frameworks,  and  deepens  our  understanding  of  the  Dolev-Yao  model. 
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1  Introduction 

The  late  1990’s  saw  a  burst  of  research  in  security  protocol  analysis  which  yielded  theoretical  insight  [16] 
and  enhanced  verification  techniques  [20,  29].  The  cornerstone  of  these  endeavors  was  a  rising  tide  of 
formal  notational  frameworks  for  protocols,  among  them  the  spi-calculus  [1],  strand  spaces  [33]  and  mul¬ 
tiset  rewriting  [10].  A  first  attempt  to  sort  out  the  diverse  languages,  security  assumptions,  and  execution 
models,  appeared  in  an  early  version  of  this  work  [9],  which  focused  on  the  relationship  between  strand 
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spaces  [33,  34,  23]  and  a  formalism  based  on  multiset  rewriting  [10].  In  the  years  that  followed  [9],  re¬ 
searchers  built  several  more  bridges  between  languages  for  cryptographic  protocol  analysis,  producing  an 
almost  complete  map  by  now:  strand  spaces  and  multiset  rewriting  are  tied  to  linear  logic  in  [8];  mappings 
between  process  algebra,  Petri  nets  (a  close  relative  of  multiset  rewriting),  strand  spaces  and  inductive  mod¬ 
els  are  given  in  [11];  strand  spaces  and  BAN  logic  are  related  in  [32];  similarities  between  strand  spaces 
and  multi-agent  systems  are  investigated  in  [21];  and  the  relation  between  multiset  rewriting  and  process 
algebraic  specifications  is  analyzed  in  [3,  27].  These  theoretical  investigations  allow  researchers  to  under¬ 
stand  precisely  how  their  results  are  related,  often  enabling  a  direct  transfer  of  properties  such  as  secrecy 
and  many  forms  of  authentication  as  most  of  these  formalisms  ultimately  rely  on  a  trace-based  semantics. 
This  observation  is  put  into  practice  in  the  CAPSL  Intermediate  Language  (CIL  —  another  close  relative 
of  multiset  rewriting)  [14]  and  the  numerous  “connectors”  translating  CIL  specifications  to  and  from  other 
languages  and  tools  [5,  13,  25], 

Protocol  execution  steps  can  be  seen  as  inducing  local  changes  to  a  global  state  consisting  of  messages 
in  transit  and  the  private  data  of  each  principal.  This  view  was  sharpened  into  a  rigorous,  formal  language 
based  on  multiset  rewriting  with  existential  quantification  [10,  16]:  multiset  rewrite  rules  represent  proto¬ 
col  actions  that  can  alter  the  portion  of  the  global  state  visible  to  a  principal.  Messages  and  local  data  are 
represented  symbolically  in  accordance  with  the  Dolev-Yao  abstraction  [15,  28],  while  existential  quantifi¬ 
cation,  as  commonly  used  in  formal  logic,  provides  a  natural  way  of  choosing  new  values,  such  as  fresh 
keys  or  nonces.  Protocol  execution  is  carried  out  symbolically,  with  the  behavior  of  the  standard  Dolev-Yao 
intruder  explicitly  implemented  as  rewrite  rules.  This  model  formed  the  core  of  CIL  [14],  which  was  de¬ 
signed  as  a  neutral  intermediate  language  for  the  exchange  of  specifications  written  for  diverse  verification 
tools  [5,  13,  25].  This  model  also  forms  the  core  of  the  more  recent  MSR  specification  framework  [7],  an 
expressive  and  usable  high-level  language  for  describing  cryptographic  protocols. 

Strand  spaces  [33,  34,  23]  are  a  highly  popular  formalism  for  describing  the  result  of  a  protocol  execution 
as  they  visualize  the  causal  interactions  among  individual  steps.  Roughly,  the  actions  of  each  protocol 
participant  are  linearly  ordered  into  strands,  while  a  second  spatial  dimension  connects  complementary 
events  of  different  principals,  e.g.  the  transmission  and  reception  of  a  given  message.  It  should  be  observed 
that  strand  spaces  were  designed  as  a  means  to  represent  completed  executions,  both  normal  and  malicious, 
and  therefore  offered  only  an  indirect  way  of  expressing  protocols  themselves.  In  this  light,  they  provide  a 
simple  and  succinct  framework  for  state-based  analysis  of  completed  protocol  runs.  State  space  reduction 
techniques  based  on  the  strand  space  framework  are  utilized  in  an  efficient  automated  checker,  Athena  [31], 
It  has  recently  been  observed  [11,  17]  that  strand  spaces  are  closely  related  to  process-based  specification 
language  such  as  the  spi-calculus  [1], 

Since  both  multiset  rewriting  and  strand  spaces  are  used  to  specify  cryptographic  protocols  and  their 
(mis-)behaviors,  one  would  expect  them  to  be  equivalent  in  some  way.  Producing  a  meaningful  equivalence 
requires  a  heavy  infrastructure  and  may  be  obtained  only  after  a  number  of  modifications  are  made  in  each 
setting.  We  shall  trace  these  difficulties  to  two  orthogonal  aspects  of  these  languages. 

•  First,  they  differ  in  their  inherent  focus:  multiset  rewriting  provides  a  syntax  to  write  protocols  and 
a  semantics  to  produce  valid  executions,  while  strand  spaces  offer  static  specifications  of  protocol 
executions,  from  which  the  protocols  themselves  can  be  glimpsed  only  in  an  indirect  light. 

We  choose  to  bring  strand  spaces  on  a  par  with  multiset  rewriting  by  endowing  them  with  a  syntax 
to  express  protocols  as  first-class  objects,  and  a  semantics  that  incrementally  grows  strand  spaces  fin 
the  original  sense)  as  an  execution  of  a  protocol  unfolds.  The  resulting  notion  of  parametric  strand 
has  since  [9]  been  adopted  under  different  names  by  numerous  researchers,  e.g.  [11,  17]. 

We  also  make  minor  changes  to  the  multiset  rewriting  formalism,  in  particular  with  the  elimination  of 
the  original  ‘initialization  phase”  [10]  which  specifies  rules  to  define  principals  and  distribute  shared. 
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public,  or  private  keys.  This  information  is  now  statically  assumed  as  part  of  the  initial  state,  in  line 
with  most  protocol  specification  languages,  including  strand  spaces,  CIL  and  MSR. 

•  A  second  major  difference  derives  from  the  underlying  paradigm  for  specifying  concurrent  execu¬ 
tions.  As  noted  above,  multiset  rewriting  is  state-based,  operating  through  local  transformation  on 
an  explicit  global  state,  while  strand  spaces  are  process-based  with  emphasis  on  communication  be¬ 
tween  strands.  This  subtle  distinction  is  a  well-known  problem  in  concurrency  theory  and  has  been 
repeatedly  addressed,  starting  with  [2],  It  has  recently  been  isolated  relative  to  protocol  specification 
in  [3],  The  material  presented  here  specializes  this  account  to  strand  spaces  and  multiset  rewriting, 
and  integrates  it  with  the  alterations  outlined  above. 

The  resolution  of  these  two  issues  accounts  for  most  of  the  machinery  in  this  paper,  with  the  rest  taken 
up  by  minor  syntactic  differences.  In  the  end,  it  provides  effective  procedures  for  faithfully  translating  the 
specification  of  security  protocols,  and  in  particular  their  execution,  from  the  strand  world  into  multiset 
rewriting,  and  vice  versa.  While  comparing  verification  techniques  is  outside  the  scope  of  this  paper,  it  is 
worth  noting  that  the  correspondence  between  executions  in  the  two  models  allows  swapping  any  trace- 
based  property  such  as  secrecy  and  most  forms  of  authentication. 

This  paper  is  organized  as  follows:  the  multiset  rewriting  formalism  is  discussed  in  Section  2.  In  sec¬ 
tion  3,  we  introduce  strand  spaces  and  present  our  extensions.  The  translation  from  multiset  rewriting  to 
strand  spaces  is  presented  in  Section  4.  The  reverse  mapping,  from  strand  spaces  to  multiset  rewriting,  is 
given  in  Section  5.  Section  6  discusses  related  work,  while  Section  7  offers  some  concluding  remarks. 

2  Multiset  Rewriting  Theories 

This  section  recalls  basic  notions  pertaining  to  multiset  rewriting  (Section  2.1)  and  introduces  the  method¬ 
ology  by  which  they  can  be  applied  to  specify  cryptographic  protocols  (Section  2.2).  We  deviate  from  the 
original  presentation  [10]  by  eliminating  the  initialization  phase  in  favor  of  persistent  information  given 
a  priori.  We  also  outline  the  transformation  of  generic  specifications  into  regular  protocol  theories  (Sec¬ 
tion  2.3),  a  step  that  will  simplify  the  comparison  with  strand  spaces.  We  conclude  with  a  description  of  the 
intruder  model  tailored  to  simplify  the  comparison  with  strand  spaces  (Section  2.4). 

2.1  First-Order  Multiset  Rewriting 

A  multiset  M  is  an  unordered  collection  of  objects  or  elements ,  possibly  with  repetitions.  The  empty 
multiset  does  not  contain  any  object  and  will  be  written  We  accumulate  the  elements  of  two  multisets 
M  and  N  by  taking  their  multiset  union ,  denoted  “AT,  IV”.  The  elements  we  will  consider  here  will  be 
first-order  atomic  formulas  A(t )  over  some  signature. 

We  will  make  use  of  the  standard  definitions  pertaining  to  the  variables  of  first-order  logic.  In  particular, 
we  write  Var(Ao, . . . ,  An )  for  the  set  of  variables  occurring  in  the  multiset  of  atomic  formulas  Aq,  . . . ,  A.n. 
We  say  that  a  (multiset  of)  formula(s)  is  ground  if  no  variable  appear  in  it.  Finally,  substitutions  (generally 
written  6 ,  0  or  £)  are  as  usual  mappings  from  variables  to  generic  terms.  We  write  A[(5]  for  the  application 
of  a  substitution  <5  to  a  formula  A,  and  use  a  similar  notation  for  multisets  of  formulas. 

In  its  simplest  form,  a  multiset  rewrite  rule  r  is  a  pair  of  multisets  F  and  G,  respectively  called  the 
antecedent  and  consequent  of  r.  We  will  consider  a  slightly  more  elaborate  notion  in  which  F  and  G 
are  multisets  of  first-order  atomic  formulas  with  variables  among  x.  We  emphasize  this  aspect  by  writing 
them  as  F(x)  and  G(x).  Furthermore,  we  shall  be  able  to  mark  variables  in  the  consequent  so  that  they 
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are  instantiated  to  ‘ fresh ”  constants,  that  have  not  previously  been  encountered,  even  if  the  rule  is  used 
repeatedly.  A  rule  assumes  then  the  form 

r  :  F(x)  — »  3ft.  G(x,  ft) 

where  r  is  a  label  and  3n  indicates  that  the  variables  ft  are  to  be  instantiated  with  constants  that  ought  to  be 
fresh.  A  multiset  rewriting  system  1Z  is  a  set  of  rewrite  rules. 

Rewrite  rules  allow  transforming  a  multiset  into  another  multiset  by  making  localized  changes  to  the  el¬ 
ements  that  appear  in  it.  Given  a  multiset  of  ground  facts  M,  a  rule  r  :  F(x)  — >  3ft.  G(x,  ft)  is  applicable 
if  M  =  F(t),  M for  terms  t.  Then,  applying  r  to  M  yields  the  multiset  N  =  G(t,  c),  M'  where  the 
constants  c  are  fresh  (in  particular,  they  are  distinct  from  any  symbol  appearing  in  M  or  r),  x  and  ft  have 
been  instantiated  with  t  and  c  respectively,  and  the  facts  F(t )  in  M  have  been  replaced  with  G(t,  c )  to 
produce  N.  Here,  9  =  [t/x\  is  the  matching  substitution  of  rule  r  with  respect  to  M,  while  £  =  \c/n]  is 
its  fresh  constant  substitution.  We  write  S  for  the  composite  substitution  (9,  £)  and  call  it  the  instantiating 
substitution  of  rule  r  with  respect  to  M.  We  denote  the  application  of  a  single  rule  and  of  zero  or  more 
rewrite  rules  from  the  rewriting  system  1Z  by  means  of  the  one-step  and  multistep  transition  judgments: 

M™nN  M^*nN 

respectively.  The  labels  r  and  r  identify  which  rule(s)  have  been  applied  together  with  its  (their)  instantiat¬ 
ing  substitution(s).  Thus,  Facts  as  a  complete  trace  of  the  execution. 

2.2  Protocol  Theories 

We  model  protocols  by  means  of  specifically  tailored  first-order  multiset  rewriting  systems.  We  present 
here  a  simplified  version  of  the  model  introduced  in  [10,  16].  We  will  further  refine  it  in  Section  2.3  to 
achieve  a  meaningful  comparison  with  the  strand  formalism.  We  rely  upon  the  following  atomic  formulas: 

Persistent  information:  Data  such  as  the  identity  of  principals  and  their  keys  often  constitute  the  stage  on 
which  the  execution  of  a  protocol  takes  place,  and  does  not  change  as  it  unfolds.  We  will  represent 
and  access  this  persistent  information  through  a  fixed  set  of  persistent  predicates  that  we  will  indicate 
using  a  slanted  font  ( e.g .  KeyP ,  as  opposed  to  N).  A  selection  of  persistent  predicates  is  described  in 
Appendix  A. 2. 

In  [  1 0,  1 6] ,  we  described  the  choice  of  the  persistent  data  by  means  of  a  set  of  multiset  rewrite  rules  of 
a  specific  form,  that  we  called  the  initialization  theory.  We  showed  that  the  application  of  these  rules 
can  be  confined  to  an  initialization  phase  that  precedes  the  execution  of  any  other  rule.  Let  II  be  the 
resulting  set  of  ground  facts.1  Strand  constructions  assume  instead  that  the  persistent  information  is 
given  up-front  as  a  set.  We  reconcile  the  two  approaches  by  dropping  the  explicit  initialization  phase 
of  [10,  16]  and  assuming  II  given.  We  will  allow  individual  rules  to  query  II  (but  not  to  modify  it). 
Therefore,  for  every  rule,  the  persistent  predicates  appearing  in  its  antecedent  and  consequent  shall 
be  identical.  We  will  generically  indicate  them  as  7r,  or  tt(x)  when  emphasizing  the  variables  they 
may  mention. 

Network  messages:  Network  messages  are  modeled  by  the  predicate  N  (m),  where  m  is  the  message  being 
transmitted.  Having  a  distinct  network  predicate  for  each  message  exchanged  in  a  protocol  specifica¬ 
tion,  as  done  in  [10,  16],  is  equivalent,  but  would  obscure  the  translation  in  Section  5.  Messages  will 
consist  of  the  class  of  terms  freely  generated  from  atomic  messages  (principal  names,  keys,  nonces, 
etc.)  by  the  operators  of  concatenation,  denoted  1\  and  encryption,  written  “{  }.  ”  The  detailed 
syntax  of  messages  is  presented  in  Appendix  A. 

'Constraints  on  the  initialization  theory  prevent  II  from  containing  duplicates  [10,  16] 
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Initiator 

tao  : 

tta(A,B) 

->  Ao(A,B),  ita{A,B) 

Tai  : 

A0  (A,B) 

—  3Na.Ai(A,B,Na), 

N({Na,A}Kb) 

fA2  : 

Ai  (A,B,Na), 
N({Na,Nb}ka) 

-►  A  2(A,B,Na,Nb) 

i"A3  : 

A  2(A,B,Na,Nb) 

-►  A  3{A,B,Na,Nb), 

mNB}KB) 

Responder 

rBO  : 

ttb  (A,B) 

-►  B0(A,B),  itb(A,B) 

fBi  : 

Bo  (A,B), 
N({7VAjJ4}kb) 

—  Bi  (A,B,Na) 

fB2  : 

B  !(A,B,Na) 

-►  3Nb.B2(A,B,Na,Nb), 

N({A tA,Nb}Ka) 

fB3  : 

B2(A,B,Na,Nb), 

N({Nb}kb) 

—  B3(A,B,Na,Nb) 

where 

ka(A,B)  =  Pr(A), 
i tb{A,B)  =  Pr(B), 

PrvK(A,  K^1),  Pr(B).  PubK(B,  I\B) 

PrvK(B,  Kg1),  Pr(A),  PubK(A,KA) 

Figure  1.  Multiset  Rewriting  Specification  of  the  Needham-Schroeder  Protocol 


Role  states:  We  first  choose  a  set  of  role  identifiers  f>  \ , . . . .  p„  for  the  different  roles  constituting  the  pro¬ 
tocol.  Then,  for  each  role  p,  we  have  a  finite  family  of  role  state  predicates  {A  Pi(m)  \  i  =  0, . . . ,  lp}. 
They  are  intended  to  hold  the  internal  state  of  a  principal  in  role  p  during  the  successive  steps  of  the 
protocol. 

This  scheme  can  immediately  be  generalized  to  express  roles  that  can  take  conditional  or  non- 
deterministic  actions  ( e.g .  toss  a  coin  to  choose  among  two  messages  to  send  —  useful  for  zero- 
knowledge  proofs  for  examples  —  or  respond  in  two  different  ways  depending  on  the  contents  of  an 
incoming  message  —  useful  for  intrusion  detection).  We  simply  need  to  alter  our  naming  convention 
for  role  states  and  rules  (below)  to  take  alternatives  into  account.2  This  paper  will  consider  only  lin¬ 
early  ordered  role  states,  as  the  layer  of  technicality  required  to  treat  the  general  case  would  obscure 
the  comparison  with  strands. 

Intruder  knowledge:  The  unary  predicate  symbol  I  is  needed  to  model  the  intruder’s  knowledge  in  a 
distributed  fashion.  It  will  be  discussed  at  length  in  Section  2.4.  This  predicate  shall  not  be  accessible 
to  honest  principals. 

We  represent  each  role  p  in  a  protocol  by  means  of  a  single  role  generation  rule  and  a  finite  number  of 
protocol  execution  rules.  The  purpose  of  the  former  is  to  prepare  for  the  execution  of  an  instance  of  role  p. 
It  has  the  form 

f Po  ■  7r(x)  — ►  Apo(x),ir(x). 

2Indeed,  any  partial  ordering  of  the  role  state  predicates  will  implement  a  well-founded  protocol  theory ,  as  defi  ned  in  [10,  16]. 
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where,  here  and  in  the  rest  of  the  paper,  tr(x)  denotes  a  multiset  of  persistent  atomic  formulas  that  may 
mention  variables  among  x.  This  portion  of  the  antecedent  will  be  matched  against  II,  with  the  effect  of 
instantiating  x  to  actual  persistent  values  such  as  principal  names  and  keys.  This  implements  a  form  of 
look-up.  Notice  how  persistent  information  is  preserved. 

The  execution  rules  describe  the  messages  sent  and  expected  by  the  principal  acting  in  this  role.  For 
i  =  0, . . . ,  lp  —  1,  we  have  a  rule  rp,+i  of  either  of  the  following  two  forms: 


Send: 

7r(x,  Z)_ 

->  3  n. 

Api+1(x,z,n), 

n(x,z), 

N(m(a?,  z,  ft)) 

Receive: 

- 

hpi+i(x,y,z), 
tv(x,  y,  z) 

where  m(v)  stands  for  a  message  pattern  with  variables  among  v.  In  the  first  type  of  rules,  we  rely  on  the 
existential  operator  3n  to  model  the  ability  of  a  principal  to  create  nonces  when  sending  a  message.  This 
principal  can  also  include  some  persistent  data  z  ( e.g .  the  name  and  public  key  of  an  interlocutor),  possibly 
related  to  information  it  already  possesses  (x).  In  the  second  rule  template,  the  principal  should  be  able  to 
access  persistent  information  z  related  to  data  y  in  the  received  message  m  (e.g.  the  sender’s  public  key)  or 
previously  known  information  x.  Situations  where  a  principal  both  sends  and  receives  a  message,  or  sends 
multiple  messages,  can  easily  be  expressed  by  these  rules. 

A  protocol  is  specified  as  a  set  of  such  roles.  Every  1Z  constructed  in  this  way  is  trivially  a  well- 
founded  protocol  theory  [10,  16],  As  an  example.  Figure  1  shows  the  encoding  of  the  familiar  simplified 
Needham-Schroeder  public  key  protocol  in  the  multiset  rewriting  notation,  according  to  the  syntax  defined 
in  Appendix  A.  For  the  sake  of  readability,  we  omitted  the  keys  in  the  persistent  state  predicates. 

A  state  S  =  (II,  A ,  TV,  J)  is  a  multiset  of  ground  facts,  where  II  is  the  persistent  information,  A  is  a 
multiset  of  role  states  Apj(i ),  TV  is  multiset  of  messages  N(m)  currently  in  transit,  and  I  is  a  collection  of 
predicates  l(?n)  summarizing  the  intruder’s  knowledge.  Notice  in  particular  that  the  initial  state,  denoted 
So,  is  just  (II,  Jq),  where  Jo  contains  the  information  (e.g.  keys)  initially  known  to  the  intruder. 

2.3  Regular  Protocol  Theories 

The  notion  of  protocol  theory  introduced  in  the  previous  section,  although  weaker  than  our  original 
definition  [10,  16],  is  too  liberal  for  a  direct  comparison  with  the  strand  formalism.  We  will  instead  rely 
on  the  more  restrictive  definition  of  regular  protocol  theory.  The  role  generation  rule  of  a  regular  role  shall 
access  all  the  persistent  information  that  will  be  used  in  this  role.  It  has  therefore  the  following  form: 

rp0  :  7r(x)  — >  Apo(x),  7r(x). 

Consequently,  protocol  execution  rules  do  not  need  to  mention  any  persistent  information: 

Send:  APi{x)  — >  3n.  APj+i(x,  n),  N  (m(x,n)) 

Receive:  A  pi(x),  N  (m(x,y))  ->  Api+1(x,y) 

Regular  protocol  theories  look  up  all  the  persistent  information  that  is  used  in  a  role,  including  the  identity 
and  keys  of  other  parties,  before  any  message  is  exchanged.  As  we  will  see,  this  is  closely  related  to  the 
mode  of  executions  of  strands.  The  example  in  Figure  1,  already  discussed  in  the  previous  section,  is  indeed 
a  regular  protocol  theory. 
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It  should  be  observed  that  every  protocol  theory  7 Z  can  be  transformed  into  a  regular  protocol  theory 
7Z  by  simply  moving  all  the  persistent  predicate  occurring  in  a  role  to  its  role  generation  rule,  and  adding 
arguments  to  the  role  state  predicates  accordingly.  In  order  to  formalize  this  idea,  we  write  7 f  (r)  for  the 
persistent  predicates  occurring  in  a  rule  r.  We  similarly  write  if  (p)  for  the  persistent  predicates  appearing  in 
role  p;  without  loss  of  generality,  we  shall  assume  that  variable  names  are  used  consistently  in  the  different 
rules  of  a  role:  in  particular  every  occurrence  of  state  predicate  symbol  Ap,  in  p  is  always  applied  to  the 
same  string  of  variables.  These  notions  are  defined  as  follows: 


*(?>+ 1) 


*(v+ 1) 


* ip) 


n(x) 
n(x,  z) 


n(x,  y,  z) 


7f(rp0),...,7f(rpn) 


where  rpo  =  n(x)  — > 
if  rpi+ 1  = 


Api  (^)? 

7 r(x,  z) 

— >  3 n. 

if  rpi+ 1  = 


Ap/  (</:) . 

n{x,y,z), 

_N  (m(x,y))_ 

Apo(£),7r(£) 


Api+i  (x,z,n), 
tv(x,z), 
l\l(m(x,  z,  n)) 


Api+i(x,y,z), 

n(x,y,z) 


where  p  =  rp0, . . . ,  rpn 


Then,  the  regular  protocol  theory  7 Z  (resp.  role  p  and  rule  f)  corresponding  to  protocol  theory  7 Z  (resp. 
role  p  and  rule  r)  is  defined  as  follows: 

f-po  =  ?r(p)  ->  Ap0(Var(7r(p))),-7f(p) 

fPi+ 1  =  Api(f ')  ->  3n.Api+i(x',n),  N(m(x \n))  (1) 

fpi+ 1  =  Api(*' '),  N(m(f  ',y))  Api+1(x ’,y)  (2) 

P  —  ^p0 1 •  •  •  5  f  pn 

7^  —  Pi  Pm 


where 

rp0  =  7r(x)  ->  Ap0(f),  ir(x) 

_  f  Api(x),ir(...),->3n.Api+1(...),ir(...),N(m(. . .))  in  (1) 
pl+1  \  Api(f),7r(.  ,.),N(m(x,y))  ->  Api+1(x,y,  z),tv(.  . .)  in  (2) 

P  =  r-po , . . . ,  r Pn 

TZ  —  p\ , . . . ,  pm 

Here,  Api  is  the  role  state  predicate  corresponding  to  Apj.  The  definition  of  rule  translation  describes  how 
to  compute  its  arguments:  the  first  of  these  predicates,  Apo  is  equipped  with  all  the  variables  occurring 
in  7 f  (p),  a  set  that  we  have  written  Var(7r(p))  above.  The  choice  of  argument  of  the  remaining  role  state 
predicates,  Ap/  .|.  1  is  guided  by  the  form  of  the  rule  in  which  the  corresponding  Ap,_-|  first  occurs.  Therefore, 
the  variables  x '  in  the  definitions  of  fp(+i  are  the  arguments  computed  for  Ap,+1  in  the  consequent  of  rule 

fpi. 

Example:  As  a  simple  example,  consider  the  three-rule  role  at  the  top  of  the  following  table,  in  which  an 
initiator  A  sends  a  newly  generated  nonce  Na  on  the  network,  and  expects  it  back  encrypted  with  her  own 
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private  key  A'  t- 


rp0  :  Pr  (A) 

->  t 

Vo  (A),Pr{A) 

f pi  ■  Ap0(A) 

-  3Na.Api(A,Na),N(Na) 

rp2  : 

Api  (A,  Na), 
PubK(A,KA ), 
N({A U}ka) 

- 

Ap2 (A,  Na,  Ka), 
PubK(A,KA) 

Pr(A),  1 

Apo(A,  Ka),  Pr(A), 

rPo  • 

PubK(A,  Ka) 

PubK(A,  Ka) 

fP  1  :  Ap0 (A,Ka) 

— >  3Na- Api(A,  Ka,  Na),N(Na) 

fp2  ■ 

Api  {A,Ka,Na), 
N  ({Na}ka)  _ 

->  / 

\p2(A,Ka,Na) 

The  corresponding  regular  role  is  displayed  at  the  bottom  of  the  table.  Observe  that  all  the  persistent 
information  is  gathered  in  the  role  generation  rule  f  po  and  no  persistent  predicates  appears  in  any  other  rule. 
Observe  also  how  the  arguments  of  the  role  state  predicates  have  been  updated. 

The  transformation  we  have  just  outlined  does  not  preserve  execution.  This  can  clearly  be  seen  in  the 
above  example:  assume  that  the  specification  contains  a  principals  a  who  does  not  have  a  public  key.  Then, 
rule  rpo  (and  successively  rule  rp i)  can  fire  in  any  state  S ,  resulting  in  the  state  (S,  Apo(a)).  Rule  rp 2 
cannot  execute  since  there  is  no  PubK(a,k)  in  II  for  any  />::.  However,  rule  fp 0  is  not  enabled  in  any 
reasonable  translation  S  of  S  since  there  is  no  ka  such  that  PubK(a,  ka )  holds. 

However,  any  execution  sequence  in  the  transformed  system  can  be  mapped  back  to  an  application  of 
the  corresponding  rules  in  the  original  system: 

Property  2.1  If  So — >*^S,  then  Sq — *fS. 

Proof:  The  proof  proceeds  by  induction  on  the  length  of  the  transformed  execution  sequence,  say  f,  5, 
where  5  denotes  the  instantiating  substitutions  used  in  it.  □ 

Observe  that  this  property  does  not  hold,  in  general,  if  we  start  from  a  state  that  includes  intermediate 
role  state  predicates  as  we  cannot  guarantee  that  their  arguments  are  related  to  II.  This  is  the  reason  we 
consider  only  the  initial  state  So- 

Regular  protocol  theories  upgrade  our  original  definition  of  (unqualified)  protocol  theories  [9]  with  the 
requirement  that  all  the  persistent  information  used  during  the  execution  of  a  role  be  accessed  in  its  role 
generation  rule.  While  the  two  definitions  are  equally  acceptable  in  general,  the  regularity  restriction  brings 
us  one  step  closer  to  the  strand  world,  where  all  accessory  values  are  chosen  up-front.  This  is  a  slippery 
slope  since,  as  we  just  saw,  protocol  theories  cannot  be  regularized  in  general  without  losing  transition 
sequences  (see  Section  4.1  for  the  consequences  of  starting  from  generic  protocol  theories).  This  is  one 
more  restriction  that  our  multiset  rewriting  formalism  shall  abide  by  in  order  to  set  up  a  fair  comparison 
with  strand  spaces. 

From  now  on,  all  the  protocol  theories  we  will  be  considering  shall  be  regular. 


(Receive) 

rec  : 

N(m) 

-► 

1  (m) 

( Decompose ) 

dcmp  : 

l(mi,  m2) 

- 

l(trn),  l(m2)  ,  l(mi,m2) 

( Decrypt ) 

deer  : 

K{m}fc),  l(fe'), 
KeyP(k,  k') 

- 

1  (m)  .  \({m}k), 

1  (k'),KeyP{k,  k') 

(Send) 

snd  : 

l(m) 

- 

N(m)  ,  1  (m) 

( Compose) 

emp  : 

l(mi),  l(m2) 

- 

l(mi,m2)  ,  l(rm),  l(m2) 

(Encrypt) 

encr  : 

l(m),  10) 

- 

K {m}k)  ■  \(m),  10) 

(Nonce) 

nnc  : 

- 

3 n.  I(n) 

(Persistent) 

pers  : 

7r  (m) 

-» 

1  (m)  ,  7r (m) 

Figure  2.  The  Standard  Intruder  Theory  X 


2.4  Intruder  Theory 

The  knowledge  available  at  any  instant  to  the  intruder  consists  of  the  persistent  information  in  II,  of 
the  unused  portion  of  its  initial  knowledge  I o  (e.g.  the  keys  of  dishonest  principals),  and  of  intercepted  or 
inferred  messages.  We  use  the  state  predicate  l(_)  to  hold  each  piece  of  information  known  to  the  intruder. 
In  particular,  we  represent  the  fact  that  the  intruder  ‘knows”m  (a  message,  a  key,  etc.)  as  I (m).  The  overall 
knowledge  of  the  intruder  at  any  particular  instant  is  indicated  with  I.  As  mentioned  above,  we  write  Iq 
for  the  intruder’s  initial  knowledge. 

The  capabilities  of  the  intruder  are  modeled  by  the  standard  intruder  theory  X  displayed  in  Figure  2. 
These  rules  are  taken  from  [10,  16].  The  standard  intruder  theory  X  implements  the  Dolev-Yao  model  [15, 
28]  in  our  notation.  For  the  sake  of  readability,  we  have  grayed  out  the  information  produced  by  each 
rule.  Observe  that  these  rules  display  an  overly  conservative  bookkeeping  strategy  for  the  known  messages: 
knowledge  is  never  discarded,  but  carried  along  as  new  messages  are  inferred. 

The  intruder  capabilities  formalized  in  the  strand  model  relies  on  a  slightly  different  strategy  for  man¬ 
aging  captured  knowledge:  inferring  new  information  has  the  effect  of  deleting  the  data  it  was  constructed 
from.  Moreover,  it  can  discard  information.  However,  explicit  duplication  is  possible.  We  express  this 
behavior  by  the  set  of  rules  X'  in  Figure  3. 

Clearly,  our  original  intruder  model  X  can  easily  be  simulated  by  a  systematic  use  of  the  duplication  rule 
of  X' .  Going  in  the  other  direction  is  slightly  more  complicated  as  X  never  discards  any  information.  The 
substantial  equivalence  of  these  two  systems  is  summarized  in  the  following  result. 

Property  2.2  Let  1Z  be  an  arbitrary  protocol  theory,  and  S  \  and  S-2  two  states. 

•  For  every  rule  sequence  r  in  1Z,X  such  that  S i— X&2,  there  exists  a  rule  sequence  r'  in  1Z,X' 
such  that  S 1  - ~ j/S,2- 

•  For  every  rule  sequence  r'  in  1Z,X'  such  that  S 1^— >7^  x'^2,  there  exist  a  rule  sequence  r  in  1Z,X 
and  an  intruder  state  I'  such  that  S jS'2-,  I'  ■ 

Proof:  The  idea  underlying  the  proof  of  the  first  statement  is  that  every  rule  in  X  can  be  emulated  by  the 
corresponding  rule  in  X'  preceded  by  one  or  more  applications  of  dup.  Rule  del  is  never  used.  The  transition 
sequence  r'  is  derived  from  r  according  to  this  strategy.  A  formal  proof  proceeds  by  induction  on  r. 

The  proof  of  the  second  half  of  this  property  is  based  on  the  observation  that  rule  dup  can  be  emulated 
in  X  by  applying  snd  and  rec  in  succession.  Rules  rec'-pers'  are  mapped  to  their  unprimed  name  sakes  in 
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( Receive ) 

rec' 

N(m) 

l(m) 

( Decompose ) 

dcmp' 

l(mi,m2) 

— 

l(mi),  l(m2) 

( Decrypt ) 

deer' 

\({m}k),\(k'),KeyP(k,k') 

l(m),  KeyP(k,  k') 

(Send) 

snd' 

l(m) 

N(m) 

(Compose) 

emp' 

l(ini),  l(m2) 

l(mi,m2) 

( Encrypt ) 

encr' 

l(m),  l(ft) 

l({m}fc) 

(Nonce) 

nnc' 

3  n.  1  (n) 

(Persistent) 

pers' 

7r  (m) 

- 

l(m),  n(m) 

(Duplicate) 

dup 

l(m) 

- 

l(m),  1  (m) 

(Delete) 

del 

l(m) 

-» 

Figure  3.  The  Modified  Intruder  Theory  X' 


X,  which  has  the  effect  of  retaining  copies  of  intermediate  intruder  information.  Rule  del  is  discarded.  The 
extra  intruder  knowledge  predicates  resulting  from  these  two  situations  are  collected  in  the  intruder  state 
fragment  I' .  Again,  this  is  formally  proved  by  induction  on  r'.  □ 


3  Strand  Constructions 

This  section  introduces  strands  spaces  and  the  dynamic  extension  that  will  be  considered  throughout 
this  paper.  We  start  with  some  basic  definitions  from  graph  theory  (Section  3.1).  We  then  introduce  the 
strands  and  related  concepts  as  a  graphical  language  to  describe  protocol  executions  (Section  3.2).  It  is  then 
upgraded  with  a  syntax  for  protocols  as  first-class  objects  and  a  dynamic  semantics  that  emulates  step-wise 
execution  (Section  3.3).  These  extensions  are  of  independent  interest  and  some  of  their  properties  will 
be  further  analyzed  in  Appendix  B.  We  conclude  with  a  presentation  of  penetrator  strands  as  the  intruder 
model  of  strand  spaces  (Section  3.4). 

3.1  Preliminary  Definitions 

A  directed  graph  G  is  a  pair  (S,  — >)  where  S  is  the  set  of  nodes  of  G  and  — >  C  S  x  S  is  the  set 
of  edges  of  G.  We  will  generally  write  v\  — »  i/2  for  (v\,  i/2)  £  — >.  A  directed  labeled  graph  Gl  is  a 
structure  (S,  — >,  L,  A)  where  (S,  — >)  is  a  directed  graph,  L  is  a  set  of  labels,  and  A  :  S  — ►  L  is  a  labeling 
function  that  associates  a  label  to  every  node.  In  the  sequel,  all  our  graphs  will  be  directed  and  labeled,  but 
we  will  generally  keep  A  implicit  for  simplicity.  In  particular,  for  v  £  S  and  l  £  L,  we  will  write  ‘V  =  1” 
as  an  abbreviation  of  A(i/)  =  l.  However,  for  V2  £  S,  expressions  of  the  form  ‘i'l  =  vf  shall  always 
refer  to  the  nodes  themselves,  and  not  to  their  labels. 

A  graph  G  =  ( S ,  — ►)  is  a  chain  if  there  is  a  total  ordering  . . .  of  the  elements  of  S  such  that 

Vi  — >  Vj  iff  j  =  i  +  1.  A  graph  G  =  ( S , — >)  is  a  disjoint  union  of  chains  if  S'  =  (Jig/  and 
— >  =  U,e/  — N  (for  some  set  I)  and  (Si,  — *f)  are  chains  for  each  i  £  I. 

A  bipartite  graph  is  a  structure  G  =  (Si,  S2,  — >)  such  that  Si  and  S2  are  disjoint,  (Si  U  S2,  — >) 
is  a  graph,  and  if  — >  ^2  then  v\  £  Si  and  V2  £  S2.  Observe  that  all  edges  go  from  Si  to  S2  (i.e. 
— »  C  Si  x  S2). 

We  say  that  G  =  (Si,  S2,  — ►)  is 


10 


Alice  (A,  B,  Na,  Nb)  Bob  (A,B,Na,Nb) 

Na  fresh,  tt  a(A,B)  Nb  fresh,  7 tb(A,B) 


{Na,  A}Kb 

* 

- >  {Na,A}kb 

— >  {Na,Nb}ka 

{Na,  Nb}ka  — > 

{Nb}kb 

— 

— >  {Nb}kb 

where  77a(A,B)  = 

Pr(A), 

PrvK(A,  Kf1),  Pr(B),  PubK(B,KB ) 

nB(A,B)  = 

Pr(B), 

PrvK(B,  Kg1),  Pr(A),  PubK(A,KA) 

Figure  4.  Parametric  Strand  Specification  of  the  Needham-Schroeder  Protocol 


•  functional  if  — ►  is  a  partial  function  (i.e.  if  v  — ►  is[  and  u  — ►  v2  imply  v'x  =  v2). 

•  injective  if  — >  is  injective  (i.e.  if  v\  — >  v'  and  U2  — >  v'  imply  v\  =  vf). 

•  surjective  if  — >  is  surjective  onto  S2  (i.e.  for  each  v'  G  S2  there  is  v  G  Si  such  that  v  — >  u'). 

A  bi-graph  G  is  a  structure  ( S ,  =>,  — >)  where  both  (S,  =>■)  and  ( S ,  — ►)  are  graphs. 

In  the  sequel,  we  will  often  rely  on  the  natural  adaptation  of  standard  graph-theoretic  notions  (e.g.  iso¬ 
morphism)  to  labeled  graphs  and  bi-graphs. 

3.2  Strands  and  Bundles 

An  event  is  a  pair  consisting  of  a  message  to  and  an  indication  of  whether  it  has  been  sent  (+m)  or 
received  (—to)  [33],  The  set  of  all  events  will  be  denoted  ±A4. 

A  strand  is  a  finite  sequence  of  events,  i.e.  an  element  of  (±Ad)*.  We  indicate  strands  with  the  letter 
s,  the  length  of  a  strand  as  |s|,  and  its  i-th  event  as  s,;  (for  i  =  1, . . . ,  |s|).  Observe  that  a  strand  s  can  be 
thought  of  as  a  chain  graph  (S,  =>■)  with  labels  over  ±A4,  where  S  =  {s,;  :  i  =  1, . . . ,  |s|}  and  s,;  =>■  Sj 
iff  j  =  i  +  1. 

Slightly  simplifying  from  [33],  a  strand  space  is  a  set  of  strands  with  an  additional  relation  ( — >)  on 
the  nodes.  The  only  condition  is  that  if  v\  — >  ^2,  then  v\  =  +m  and  v 2  =  —to  (for  the  same  message 
m).  Therefore,  — >  represents  the  transmission  of  the  message  m  from  the  sender  v\  to  the  receiver  1/9  • 
Alternatively,  a  strand  space  can  be  viewed  as  a  labeled  bi-graph  a  =  (5,  =>,  — >)  with  labels  over  ±Af, 
C  S  x  S,  and  — »  C  S+  x  S~  where  S+  and  S~  indicate  the  set  of  positively-  and  negatively-labeled 
nodes  in  S  respectively,  and  the  constraints  discussed  above:  (S,  ==>)  is  a  disjoint  union  of  chains,  and  if 
v\  — >  V2,  then  =  +to  and  v 2  =  —to  for  some  message  to. 

A  bundle  is  a  strand  space  o  =  ( S ,  =>,  — >)  such  that  the  bipartite  graph  (S+,  S~ ,  — ►)  is  injective, 
and  surjective,  and  the  graph  obtained  by  dropping  the  distinction  between  =>  and  — >  is  acyclic.  In  terms 
of  protocols,  the  first  two  constraints  imply  that  no  message  is  received  from  more  than  one  sender,  and 
every  received  message  has  been  sent,  respectively.  Dangling  positive  nodes  correspond  to  messages  in 
transit.  Slightly  departing  from  [33,  31],  it  will  be  convenient  to  restrict  our  attention  to  functional  bundles, 
which  corresponds  to  adding  the  further  constraint  that  a  message  is  sent  to  at  most  one  recipient  at  a  time. 
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An  arbitrary  bundle  can  be  easily  made  functional  by  inserting  T  strands  from  the  standard  intruder  toolkit, 
developed  in  Section  3.4. 

If  we  think  in  terms  of  protocols,  a  bundle  represents  a  snapshot  of  the  execution  of  a  protocol.  As  we 
will  see  in  Sections  3.3  and  also  in  Appendix  B,  this  comprises  a  current  global  state  (what  each  principal 
and  the  intruder  are  up  to,  and  the  messages  in  transit),  as  well  as  a  precise  account  of  how  this  situation 
has  been  reached.  Each  role  is  expressed  as  a  strand  in  the  current  bundle.  The  intruder  capabilities  are 
themselves  modeled  as  a  fixed  set  of  penetrator  strands,  which  can  be  woven  in  a  bundle.  We  postpone 
the  exact  definition  until  Section  3.4  as  the  construction  we  propose  in  the  next  sections  will  generalize  the 
presentation  in  [33,  31]. 

3.3  Extensions 

We  now  refine  these  concepts  with  a  language  to  describe  protocols  as  first-class  objects  and  a  semantics 
to  grow  bundles  dynamically.  Following  [9],  similar  extensions  have  become  popular  in  the  strand  literature, 
e.g.  [11,17,19,26]. 

The  notion  of  role  is  kept  implicit  in  [33]  and  introduced  as  the  concept  of  trace-type  in  [31].  A  role  is 
nothing  but  a  parametric  strand:  a  strand  where  the  messages  may  contain  variables.  An  actual  strand  is 
obtained  by  instantiating  all  the  variables  in  a  parametric  strand  (or  an  initial  segment  of  one)  with  persis¬ 
tent  information  and  actual  message  pieces.  For  simplicity,  we  will  not  define  nor  consider  constructions 
corresponding  to  arbitrary  well-founded  protocol  theories  (see  Section  2  and  [10,  16]). 

A  parametric  strand  for  the  role  p  may  look  as  in  Figure  5.  The  freshness  of  n,  i.e.  the  fact  that  the 
variables  n  should  be  instantiated  with  ‘hew” constants  that  have  not  been  used  before,  is  expressed  as  a  side 
condition.  Using  the  terminology  in  [33,  31],  the  values  ft  are  uniquely  originated.  This  descriptive  notion 
is  sufficient  to  characterize  fresh  information  in  a  stopped  execution.  In  a  parametric  strand,  ‘n  fresh ’  (like 
3n  in  the  previous  section)  has  instead  prescriptive  strength  as  it  shall  enforce  freshness  as  the  execution 
unfolds  rather  than  just  acknowledge  it.  Therefore,  ‘  fresh ’  is  an  operator  in  our  specification  calculus  while 
unique  origination  only  needed  to  be  a  meta-level  property  in  [33,  31].  The  relationships  between  variables 
are  expressed  in  [31]  using  intuitive  notation,  e.g.  k  ~ 1  for  the  inverse  key  of  k,  or  kA  for  the  key  of  A.  We 
formalize  these  relations  by  equipping  p  with  the  constraints  7r  {x),  that,  without  loss  of  generality,  will  be 
a  set  of  persistent  atomic  formulas  from  Section  2,  parameterized  over  x. 

As  in  the  case  of  transition  systems,  a  protocol  is  given  as  a  set  of  roles.  The  model  of  the  intruder  in 
the  style  of  Dolev  and  Yao  [15,  28]  is  also  specified  as  a  set  of  parametric  strands  V(Pq)  called  penetrator 
strands,  where  Pq  is  the  intruder’s  initial  knowledge  (see  Section  3.4  or  [31]  for  a  definition).  As  an 
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example.  Figure  4  shows  how  the  Needham-Schroeder  public  key  protocol  is  modeled  using  parametric 
strands,  where  we  have  used  incoming  and  outgoing  arrows  instead  of  the  tags  +  and  —  for  readability. 

As  in  Section  2.1,  a  substitution  is  a  finite  tuple  6  =  (t i/x\, . . .  ,tn/xn )  of  term-variable  pairs  ti/xi. 
The  domain  of  <5  is  dom(<5)  =  (xi, . . . ,  xn),  with  each  x,;  distinct.  All  our  substitution  will  be  ground ,  by 
which  we  mean  that  none  of  the  t fs  will  contain  any  variable.  We  will  rely  on  two  types  of  substitutions: 
substitutions  that  replace  variables  with  distinct  fresh  constants  that  have  not  been  previously  encountered, 
and  substitutions  that  map  variables  to  previously  used  ground  terms  (not  necessarily  constants).  We  will 
use  the  letters  £  and  0,  possibly  subscripted,  to  denote  them  respectively.  We  will  use  6  for  substitutions 
that  mix  these  two  components.  Given  a  parametric  message  m  with  variables  in  dom(5),  we  denote  the 
application  of  6  to  m  as  rn[6\.  Given  substitutions  <5i, . . . ,  Sn,  we  write  m[8\  ■  ■  ■  8n]  for  (. . .  (to[<5i])  . .  .)[<$„]. 
We  extend  this  notation  to  nodes,  writing  v[8\  and  to  (possibly  partially  instantiated)  parametric  strands, 
with  the  notation  p[<5]. 

These  definitions  allow  us  to  specialize  the  bundles  we  will  be  looking  at:  given  a  set  of  parametric 
strands  S,  every  strand  in  a  bundle  er  should  be  a  fully  instantiated  initial  prefix  of  a  protocol  (or  penetrator) 
strand.  We  are  interested  in  initial  prefixes  since  a  bundle  is  a  snapshot  of  the  execution  of  a  protocol,  and 
a  particular  role  instance  may  be  halfway  through  its  execution.  We  then  say  that  er  is  a  bundle  over  S.  We 
need  to  generalize  strands  constructions  to  admit  strand  spaces  containing  partially  instantiated  parametric 
strands.  We  call  them  parametric  strand  spaces.  The  bundles  we  will  consider  will  however  always  be 
ground. 

We  will  now  give  a  few  definitions  needed  to  emulate  the  execution  of  a  protocol  with  parametric  strands. 
No  such  definitions  can  be  found  in  the  original  description  of  strand  constructions  [33,  31],  which  focuses 
on  analyzing  protocol  traces,  not  on  specifying  how  to  generate  them. 

First,  observe  that  the  network  traffic  in  a  bundle  is  expressed  in  terms  of  events  and  of  the  — *•  relation. 
The  edges  of  — >  represent  past  traffic:  messages  that  have  been  sent  and  successfully  received.  The 
dangling  positive  nodes  correspond  to  current  traffic:  messages  in  transit  that  have  been  sent,  but  not  yet 
received.  We  will  call  these  nodes  the  fringe  of  the  bundle  (or  strand  space).  More  formally,  given  a  strand 
space  er  =  (S,  =>,  — >),  its  fringe  is  the  set 

Fr(er)  =  {v  :  v  £  S,  v  =  +m,  and  .  v  — >  v'} 

Another  component  of  the  execution  state  of  a  protocol  is  a  description  of  the  actions  that  can  legally 
take  places  in  order  to  continue  the  execution.  First,  some  technicalities.  Let  a  be  a  bundle  over  a  set  of 
parametric  strands  S,  a  completion  of  er  is  any  strand  space  er  that  embeds  er  as  a  subgraph,  and  that  extends 
each  incomplete  strand  in  it  with  the  omitted  nodes  and  the  relative  =>-cdges.  A  completion  of  er  may 
contain  additional  strands,  possibly  only  partially  instantiated.  If  s  is  a  strand  in  er  and  s  is  its  extension  in 
er,  the  sequence  obtained  by  removing  every  event  in  s  from  s  is  itself  a  (possibly  empty)  strand.  We  call 
it  a  residual  strand  and  indicate  it  as  s  \  s.  We  then  write  er  \  a  for  the  set  of  all  residual  strands  of  d  with 
respect  to  er,  plus  any  strands  that  d  may  contain  in  addition  to  those  in  er. 

Figure  6  illustrates  these  concepts  on  a  standard  run  of  the  Needham-Schroeder  protocol.  Role  names 
and  variable  instantiations  are  given  in  the  header.  Ignoring  for  a  moment  the  lower  horizontal  — >-edge, 
the  grayed-out  portion  of  this  figure  shows  a  bundle  er  representing  an  initial  segment  of  the  execution  of 
this  protocol.  The  strand  space  d  in  the  overall  figure  is  a  possible  completion  of  er  with  respect  to  the 
parametric  strands  given  in  Figure  4.  The  set  of  residual  strands  d  \  a  is  given  by  the  white  portion  of  this 
figure. 

Given  these  preliminary  definitions,  a  configuration  over  S  is  a  pair  of  strand  spaces  (er,  er*1)  where  er  is 
a  bundle  over  S ,  and  a **  is  a  completion  of  a  whose  only  additional  — >-edges  originate  in  Fr(cr),  cover 
all  of  Fr(cr),  and  point  to  er **  \  a.  Clearly,  if  er  =  (S,  =>,  — >)  and  =  (S^,  =>■**,  — >®),  we  have  that 
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Figure  6.  A  Configuration  for  the  Needham-Schroeder  Protocol 

S  C  S K  and  =>  C  =>#,  and  finally  — >  C  — ►#.  The  above  figure  represents  a  configuration  for  the 
Needham-Schroeder  protocol.  We  will  rely  on  this  intuitive  format  as  a  diagrammatic  abstraction  in  the 
remaining  of  this  paper. 

A  one-step  transition  is  what  it  takes  to  go  from  one  bundle  to  the  ‘hext”.  Since  a  bundle  only  keeps 
track  of  events  that  have  taken  place  on  each  strand,  but  does  not  have  any  record  of  the  remaining  events 
on  that  strand,  we  shall  define  this  relation  over  configurations.  There  are  two  ways  to  make  progress  in  the 
bundle  world:  extend  an  existing  strand,  or  add  a  new  one.  Let  us  analyze  them: 

•  Extending  a  strand:  If  the  configuration  at  hand  embeds  a  strand  that  is  not  fully  contained  in  its 
bundle  part,  then  we  add  the  first  missing  node  of  the  latter  and  the  incoming  =>-edge.  If  this  node 
is  positive,  we  add  an  — L -arrow  to  a  matching  negative  node  devoid  of  any  incoming  — narrow.  If 
it  is  negative,  we  must  make  sure  that  it  has  an  incoming  — T-edge. 

•  Creating  a  strand:  Alternatively,  we  can  select  a  parametric  strand  and  instantiate  first  its  ‘fresh” 
variables  and  then  its  other  parameters.  The  first  operation  replaces  the  ‘fresh”  variables  with  new 
values  prescriptively  enforcing  freshness,  while  the  second  relies  solely  on  existing  values.  Combin¬ 
ing  these  two  instantiations  into  a  single  operation  would  either  imply  abandoning  the  prescriptive 
power  of  ‘fresh”  (which  would  not  serve  our  purposes),  or  would  lead  to  a  logical  deadlock,  in  gen¬ 
eral.  Take  for  example  the  above  configuration  for  the  Needham-Schroeder  protocol:  the  initiator 
cannot  instantiate  the  parameter  ns  until  the  responder  has  created  a  nonce  ne  for  it  and  dually  for 
riA ■  The  execution  is  possible  only  if  the  instantiation  of  the  fresh  variable  of  each  role  precedes  the 
instantiation  of  the  other  variables. 

We  will  now  formalize  this  notion.  Let  (oi,  <j\)  and  (<J2,  cr\)  be  configurations  over  a  set  of  parametric 
strands  S,  with  og  =  (Si,=>i, — >i)  and  a\  =  — >f),  for  i  =  1,2.  We  say  that  (02,02) 

immediately  follows  by  means  of  move  o,  written  (<ti,  o^),  if  any  of  the  following 

situations  apply.  An  intuitive  sense  of  what  each  case  formalizes  can  be  gained  by  looking  at  the  pictorial 
abstraction  to  the  right  of  each  possibility.  Here,  v ,  v'  and  v"  stand  for  nodes  on  fully  instantiated  strands, 
while  vq  will  generally  be  only  partially  instantiated. 

So  —  Initial  Send:  There  are  nodes  u.  v"  £  Sj  \  Si  such  that  v  =  +m,  v"  =  —to,  no  — >-edge  enters 
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v" ,  and  no  =>-arrow  enters  v.  Then, 


Si  —  Si  U  {is},  =>2  —  =>i,  — > 2  —  — n; 


S  —  Successive  Send:  There  are  nodes  v.  v"  £  S{  \  Si  and  v'  £  Si  such  that  v  =  +m,  v"  =  -m,  no 
— >-edge  enters  v" ,  and  v'  =$\  v.  Then, 


Ro  —  Initial  Receive:  There  are  nodes  v  £  Sf  \  Si  and  v"  £  Si  such  that  v  =  —to,  v"  =  +m, 
v"  — to  and  no  =£•  enters  to  Then, 

Si  =  Si  U  {v},  =>2  =  =>-i,  — *2  =  — *i  U{(^",^)}; 


s  J  s*\s 

v"  /  V 

l - *s 

s 

is" _  K  _is 

s#\s 

\(+m)/'  (~m) 

V(+m)  (-mj/ 

R  —  Successive  Receive:  There  are  nodes  v  £  sj  \  Si  and  v' ,  v"  £  Si  such  that  v  =  —to,  v"  =  +m, 
v"  — >\  to  and  iS  =>!}  to  Then, 


S2  =  Si  U  {v}, 


s  ,Ws'\s 

S  i/ 

• 

s\s 

IK 

1 - >5 

1 

z/r  //  ^ 

IS  *  ^  *is 

\(+m)  (~rri)J 

Cf  —  Fresh  Variable  Instantiation:  p  is  a  parametric  strand  in  S  and  £  is  a  substitution  for  all  its  vari¬ 
ables  marked  ‘fresh” with  constants  that  appear  nowhere  in  ( a  i,  a\ ). 

a2  =  ai;  o\  =  a[  U  p[£]. 
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Ci  —  Other  Variables  Instantiation:  p[£]  is  a  partially  instantiated  parametric  strand  in  a\  and  9  is  a 
ground  substitution  for  the  remaining  variables.  In  particular,  if  p\£]  mentions  constraints  7r,  then 
their  instantiation  should  be  compatible  with  the  know  persistent  data,  i.e.  tt\0]  C  II.  Then, 


02=0-1;  o-\  =  {cf\- p[£\)Up[£,6}. 


S  )vo» 

S  jv  0.  st\s 

f  ^ 

J  )) 

/  :  pK] 

1 - >5 

/  ■  pK,0] 

4 

• 

• 

where,  cr  —  s  is  the  subgraph  of  cr  obtained  by  removing  all  nodes  of  s  and  their  incident  edges. 

The  move  o  that  labels  the  transition  arrow  1 — >5  records  the  necessary  information  to  reconstruct  the 
transition  uniquely.  Given  a  configuration  (cr,  cr: ),  a  move  for  transitions  of  type  So,  S,  Ro,  and  R  is  a 
triple  o  =  (o,  vp ,  Ds )  where  v  is  a  node,  vv  is  the  parent  node  vp  of  v  according  to  the  =>  relation  for  ” 
if  v  is  the  first  node  of  a  chain  —  cases  So  and  Ro),  and  vs  is  the  recipient  vs  of  the  message  that  labels  v 
along  the  — >  relation  (if  v  is  positive,  or  “—’’otherwise).  For  transitions  of  type  C  f  and  Ci,  moves  have 
the  form  (p,  £)  and  (oq.  9)  respectively,  where  p  is  the  name  of  the  chosen  parametric  strand,  uq  is  the  first 
node  of  the  partially  instantiated  strand  p[£],  and  £  and  9  are  the  instantiating  substitutions. 

A  multistep  transition  amounts  to  chaining  zero  or  more  one-step  transitions.  This  relation  is  obtained  by 
taking  the  reflexive  and  transitive  closure  of  1-^5,  where  ois  the  sequence  of  the  component  moves 
(“•’’if  empty),  o  is  a  trace  of  the  computation. 

Observe  that  our  definition  of  transition  preserves  configurations,  i.e.  if  (oq ,  cr\  )  is  a  configuration  and 
(<ti,  erf  )t-2-^ls(02,  ©I )>  then  (02,02)  is  also  a  configuration.  This  property  clearly  extends  to  multistep 
transitions. 

Property  3.1  Let  (cri,  cr{)  be  a  configuration. 

1.  If  (cti,  0’5)f-2-^5(cr 2,  02),  then  (02,  o\)  is  a  configuration. 

2.  If  (cti,  cr\ )f-2->5(o’2,  cr 2),  then  (02,  o\)  is  a  configuration. 

Proof:  By  inspection,  it  is  easy  to  ascertain  that  each  form  of  transition  produces  a  configuration  when 
applied  to  a  configuration.  The  second  part  of  this  lemma  is  proved  by  induction  on  the  length  of  o.  □ 

An  analysis  of  the  notions  just  defined  can  be  found  in  Appendix  B. 

3.4  Penetrator  Strands 

We  now  formalize  the  intruder  model  of  [33,  31],  which  consists  of  patterns  called  penetrator  strands , 
and  of  a  set  of  messages  If  expressing  the  intruder’s  initial  knowledge.  The  corresponding  parametric 
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Figure  7.  The  Penetrator  Strands  V 


strands  are  shown  in  Figure  7,  which  includes  a  case  to  handle  intruder-generated  nonces.  Since  freshness 
is  a  descriptive  property  in  [33,  31],  this  possibility  is  handled  by  the  M  penetrator  strand.  For  convenience 
of  comparison  with  the  multiset  model,  we  also  distinguished  cases  M (m)  and  which  are  identified 

in  [33,  31].  We  refer  to  the  collection  of  (parametric)  penetrator  strands  in  Figure  7  as  V(Pq). 

Several  observations  need  to  be  made.  First,  the  intruder  specification  underlying  penetrator  strands 
follows  the  Dolev-Yao  model  [15,  28].  The  parametric  strands  in  Figure  7  are  indeed  closely  related  to  the 
multiset  rewriting  intruder  model  I’  above.  A  translation  can  be  found  in  Sections  4.2.2  and  5.2.2  below. 

As  a  final  remark,  notice  that  the  transition  system  specification  distinguishes  between  messages  trans¬ 
mitted  on  the  network  (identified  by  the  predicate  symbol  N)  and  messages  intercepted  and  manipulated 
by  the  intruder.  Indeed,  the  predicate  I  implements  a  private  database,  a  workshop  for  the  fabrication  of 
unauthorized  messages,  hidden  from  the  honest  principals  of  the  system.  No  such  distinction  exists  in  the 
strand  world.  Therefore,  it  seems  that  the  intruder  dismantles  and  puts  together  messages  in  the  open,  under 
the  eyes  of  the  other  principals  in  the  system.  This  is  not  a  problem  as  honest  agents  expect  messages  of  a 
very  specific  format.  Moreover,  when  such  a  principal  accepts  the  result  of  penetrator  manipulations,  this 
can  be  viewed  as  a  final  product  of  message  forgery  rather  than  an  intermediate  step. 

The  concepts  and  extensions  we  have  just  introduced  set  the  basis  for  the  translations  between  the  mul¬ 
tiset  rewriting  approach  to  security  protocol  specification  and  strand  constructions.  We  describe  the  two 
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directions  of  this  translations  in  Sections  4  and  5,  respectively. 


4  From  Multisets  to  Strands 

We  observed  that  multiset  rewriting  is  a  state-based  specification  language  for  concurrent  systems,  while 
the  strand  space  formalism  is  process-based.  In  general,  a  translation  from  this  first  paradigm  to  the  second 
needs  to  be  rather  elaborate  to  be  faithful  [2]  as  their  atomic  steps  have  different  granularity.  Multiset 
rewriting  specifications  for  security  protocols  have  however  a  particularly  streamlined  form,  with  one  action 
per  rule  and  a  control  structure  highly  regulated  by  the  role  state  predicates.  This  will  considerably  simplify 
the  translation  in  this  direction.  The  basic  idea  will  be  to  map  a  set  of  multiset  rewrite  rules  specifying  a 
role  to  a  parametric  strand.  In  particular,  rules  will  correspond  to  nodes,  and  the  role  state  predicates  will 
be  replaced  by  the  backbone  (=>)  of  the  strand.  The  technique  is  described  in  a  more  general  form  in  [3], 

It  will  be  convenient  to  stage  this  translation  into  two  steps:  we  first  operate  within  the  multiset  rewriting 
formalism  and  transform  a  regular  protocol  theory  into  an  equivalent  but  more  manageable  normal  form 
(Section  4.1).  Normal  protocols  theories  are  then  rather  directly  mapped  to  strands  (Section  4.2),  which 
permits  a  very  simple  proof  of  correctness. 

4.1  Normal  Protocol  Theories 

A  normal  protocol  theory  collapses  the  generation  step  of  each  role  and  its  first  action  of  the  execution 
in  a  single  rule.  It  also  requires  that  all  the  nonces  used  in  a  role  be  chosen  up-front.  We  will  now  formalize 
this  intuition  and  show  how  to  normalize  a  regular  protocol  theory.  For  simplicity,  we  will  describe  the 
two  parts  of  this  transformation  as  if  they  ere  two  separate  steps.  Note  that  these  transformations  are  only 
used  for  mathematical  convenience  as  we  devise  a  mapping  from  multiset  rewriting  specifications  to  the 
strand  model:  non-normal,  and  even  non-regular,  protocol  theories  are  often  more  perspicuous  than  their 
normalized  counterparts. 

Role  generation  rule:  We  subsume  the  role  generation  rule  of  every  role  p,  i.e.  the  rule  rp o  :  tt(x)  — > 
Apo(x),  7r(af),  into  the  first  rule  of  p.  For  each  of  its  two  schematic  forms: 

tpi  :  Apo(f)  — >  3n.Apl(x,n)M{m{x,n)) 
f pi  :  Apo(x),  N(m(x,y))  — >  Apl (x,y) 

we  obtain  the  following  rules: 

fpi  :  7r(x)  — »  3n.  Api(x,n),N(m(x,n)),ir(x) 

fpi  :  7t(x),N (m(x,y))  — >  Apl(x,y),Tr(x) 

respectively.  Observe  that,  by  definition  of  role  state  predicate,  the  parameters  x  include  the  argu¬ 
ments  of  the  elided  Apo  (as  usual,  rn(x')  does  not  need  to  mention  each  variable  in  a!).  This  amounts 
to  setting  initial  values  in  the  first  step  of  a  role,  rather  than  prior  to  any  message  exchange. 

If  1Z  is  a  regular  protocol  theory,  we  will  denote  the  effect  of  this  transformation  as  1Z.  If  S  is  a  state, 
the  transformed  state  S  is  obtained  by  dropping  every  mention  of  an  initial  role  state  Apo  from  S. 
Clearly,  So  =  So  for  any  initial  state  So-  Similarly,  a  transition  sequence  r  is  mapped  to  a  sequence 
r  from  which  all  the  instances  of  rules  for  the  form  rp o  have  been  dropped,  and  the  uses  of  rp\  have 
been  replaced  with  fpi . 

The  above  transformation  is  sound  and  complete  as  witnessed  by  the  following  result: 
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Lemma  4.1 

Let  7 Z  be  a  regular  protocol  theory  with  initial  state  So  and  S  a  state.  Then, 

1.  IfSo-^^S,  then  So-^^S. 

2.  IfS0^LS,  then  S0^*nS. 

Proof:  In  both  cases,  the  proof  proceeds  by  induction  on  the  length  of  the  given  transition  sequences. 

1.  If  r  =  •,  then  the  result  follows  immediately  since  r  =  ■. 

Assume  then  that  the  transition  sequence  at  hands  has  the  form  (r,  r),  with  So-^^S1  and 
S'-^kS  for  some  state  S'.  By  induction  hypothesis,  we  know  that  So-^L^S  .  We  then 
show  by  cases  on  r  that  this  property  can  be  extended  to  (r,  r). 

•  If  r  is  any  rule  beside  rp o  or  rf,\ ,  then  its  applicability  does  not  change  when  going  from 
S'  to  S  since  this  transformation  only  affects  initial  role  states.  For  the  same  reason,  its 
application  clearly  produces  S. 

•  If  r  has  the  form  rp±  for  some  role  p,  then  f  differs  from  r  only  by  the  addition  of  the 

persistent  predicated  n(x)  of  rpo .  It  is  therefore  applicable  only  if  the  proper  instance 
of  these  predicates,  7r (t)  say,  holds  in  the  current  state  S'.  By  definition  of  state,  this 
reduces  to  requiring  that  ir(t)  €  II.  However,  by  definition  of  persistent  information,  n  is 
contained  in  every  state.  Thus  it  is  sufficient  to  show  that  there  exists  one  state  Sjc  such 

that  7r (t )  C  Stt-  Now,  since  rp i  is  enabled  in  S',  it  must  be  the  case  that  an  identical 

instantiation  of  rp o  appears  in  r.  The  state  to  which  rp o  applies  is  precisely  SV. 

•  If  r  has  the  form  rp o,  then  S  =  S.  By  induction  hypothesis,  Sq-^^S  ,  which  is  what 
we  want  since  the  transformation  cancels  r. 

2.  If  r  =  •,  the  result  is  immediate. 

Otherwise,  the  transformation  sequence  will  have  the  form  (r,  f ).  Again,  we  assume  the  result 
holds  for  r  and  show  by  cases  that  it  must  also  hold  for  the  extended  sequence. 

•  If  r  =  rp i  for  some  role  p,  then  we  restore  it  as  rp o  immediately  followed  by  rp\ . 

•  In  all  other  cases,  we  leave  r  unchanged.  □ 


Observe  that  applying  this  transformation  and  then  “Undoing”  it  as  specified  in  the  above  lemma  is 
not  equivalent  to  the  identical  transformation:  going  in  the  reverse  direction,  we  group  occurrences 
of  rp o  and  rp\  together,  and  moreover  we  eliminate  every  isolated  instance  of  re¬ 
stating  this  lemma  relative  to  general  rather  than  regular  protocol  theories  would  be  incorrect:  assume 
that  So-^tiSi  thanks  to  the  initialization  rule  rp o  of  some  role  p.  As  in  Section  2.3,  assume  also 
that  the  first  message  exchange  rule  rpi  of  this  role  contains  a  persistent  predicate  which  does  not 
have  any  instantiation  in  II.  The  normal  form  of  rp o  would  then  contain  this  constraint,  making  it 
inapplicable  to  any  state  S\  would  be  mapped  to.  This  scenario  can  clearly  not  occur  when  starting 
from  a  regular  protocol  theory  since,  by  definition,  all  the  accesses  to  persistent  predicate  are  confined 
in  the  role  instantiation  rule. 

An  alternative  way  to  go  about  it  is  to  statically  bind  persistent  information  to  any  point  in  a  protocol 
description  where  it  is  used.  A  realization  of  this  idea  by  means  of  a  strong  typing  infrastructure 
is  at  the  basis  of  MSR  [7],  a  thorough  redesign  of  the  multiset  rewriting  formalism  discussed  in  this 
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paper.  Although  the  language  discussed  here  has  been  superceded  by  MSR  for  any  practical  purposes, 
the  results  shown  here  should  not  be  dismissed  as  obsolete.  Indeed,  MSR  builds  on  the  language 
considered  here,  and  any  mapping  between  MSR  and  strand  spaces  is  likely  to  use  that  language  as  a 
meeting  point,  or  risk  a  considerably  more  complex  translation. 

Nonces:  We  further  transform  protocol  theories  so  that  all  nonces  generated  by  a  role  are  preemptively 
chosen  in  the  first  rule  of  that  role.  We  accomplish  this  by  adding  extra  arguments  to  role  state 
predicates,  and  pass  the  nonces  generated  in  the  first  rule  to  subsequent  uses  through  fresh  variables 
in  these  predicates.  Since  roles  are  bounded,  there  are  only  a  small  finite  number  of  nonces  that  need 
to  be  generated  in  an  entire  role.  This  transformation  intuitively  means  that  a  participant  should  roll 
all  her  dice  immediately,  and  look  at  them  as  needed  later. 

More  formally,  let  p  be  the  multiset  rewriting  specification  of  a  role  as  from  the  previous  transforma¬ 
tion,  and  let  ep,;  be  the  number  of  existentially  quantified  variables  in  rule  rf„ ,  for  i  =  l..|p|.  We  map 
each  role  state  predicate  Ap,  (x)  in  p  to  a  predicate  of  the  form 

Api  [x,  Tli- j_i ,  .  .  .  ,  Tt|p|  ) 

where,  for  j  =  i  +  l..|p|,  there  are  exactly  ePj  elements  in  n.j ,  and  each  of  the  added  arguments  is  a 
distinct  new  variable. 

We  transform  rules  by  replacing  each  state  predicate  A pj  with  Apl ,  and  moving  existential  quantifiers 
to  the  first  rule  of  the  role.  As  a  result,  we  are  left  with  the  following  normalized  rules'. 

Role  generation  rules: 

fpi  :  7r(af)  — >  3n.  Api(x,n),  N{m(x,n)),n(x) 

fpi  :  7r(x),  N(m{x,y))  — >  3n.  Apl(x,y,n),  tt(x) 

Other  rules: 

fpi+i  :  A pi(x)  — >  Api+i(f),  N(m(x)) 

fpi+i  ■  Api(x),N(m(x,y))  — >  Api+1  (x,y) 

where  all  the  newly  introduced  variables  in  rule  fp\  are  existentially  quantified.  Given  a  role  p,  we 
denote  the  normalized  specification  as  p.  We  write  1Z  for  the  application  of  this  transformation  to  a 
protocol  theory  7Z. 

In  order  to  formally  relate  a  regular  protocol  theory  with  its  normalized  form,  we  need  to  assess  the 
effect  of  normalization  on  states.  Given  a  ground  predicate  P  in  a  state  S',  we  construct  the  open  term 
P  corresponding  to  the  possible  normalizations  of  P  as  follows: 

!A  pi(t)  =  Api(t,fii, . . .  ,n\p\)  where  ?ti,...,n|p|  consist  of 

distinct  variables 

P  =  P  if  P  is  not  a  role  state  predicate 

It  is  easy  to  extend  this  definition  to  open  states:  if  S  is  a  state,  we  construct  the  open  multiset  S 
representing  all  normalized  states  it  is  mapped  to.  S  is  defined  as  follows: 

S  =  IP  :  P  S'] 

where  '( . . . )  is  the  multiset  equivalent  of  the  usual  set  notation  {...},  and  x  <-  M  denotes  multiplicity¬ 
conscious  multiset  membership.  We  shall  choose  different  variables  for  each  P  in  S.  Observe  that 
since  the  initial  state  S o  does  not  contain  role  state  predicates,  we  have  that  So  =  Sq. 
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The  mapping  between  an  open  state  S  and  states  that  can  be  processed  by  transitions  is  done  by 
means  of  substitutions  £  that  map  each  variable  in  S'  to  a  distinct  constant  that  does  not  appear  in  S. 
Observe  that  S[£]  is  a  (ground)  state. 

The  definition  of  transition  does  not  change,  but  we  will  denote  a  transition  sequence  that  uses  normal¬ 
ized  rules  as  r  with  the  usual  subscripts.  We  will  shortly  see  how  to  normalize  a  transition  sequence 

f. 

Given  these  various  definitions,  we  are  now  in  a  position  to  prove  that  normalization  preserves  tran¬ 
sitions.  We  have  the  following  result. 


Lemma  4.2 


Let  TZ  be  a  regular  protocol  theory  that  has  been  subjected  to  the  role  generation  transformation 
in  the  first  part  of  this  section,  Sq  the  initial  state,  and  S  a  state.  Let  moreover  £  be  an  arbitrary 
substitution  from  the  variables  in  S  to  distinct  unused  constants.  Then, 


1.  If  So^S,  then  So^Sf]. 

2.  then  SQ-^\S. 


Proof:  In  both  cases,  the  proof  proceeds  by  induction  on  the  length  of  the  given  transition  sequences. 
We  will  examine  them  in  turn. 


1.  If  f  =  •,  then  the  result  holds  trivially  since  Sq  =  Sq.  Clearly,  r  =  •. 

Assume  then  that  the  given  derivation  sequence  has  the  form  (r,  r)  so  that  there  is  a  state  S' 
such  that  So-^pS'  and  S'— —*-aS.  By  induction  hypothesis,  for  any  substitution  £'  of  the 

required  form,  Sq— We  show  by  cases  on  the  structure  of  r  that  this  property  extends 
to  (r,  r).  For  the  sake  of  conciseness,  we  will  only  develop  the  (more  challenging)  cases  where 
r  is  a  sending  rule.  The  other  situations  follow  the  same  pattern. 

Sending,  initial:  r:  tt(x)  — >  3n.  Api(x,n),N(in),Tv(x). 

f  has  then  the  form 


r  :  7r(x) 


3 n.  3^2, 


n\p\- 


Api(x,n,  n2,...,n\p\), 
N(m),  7t(x) 


The  normalized  rule  r  is  enabled  in  S'  [£']  since  r  is  enabled  in  S'  and  their  preconditions  consist 
only  of  persistent  information.  Its  application  yields  the  state  (S,/[£/],  Api(t,  c,  ch, . . . ,  cjp|),  N(m) 
for  constants  c,  C2, . . . ,  cjpi  that  can  be  arbitrary  as  long  as  they  are  distinct  from  each  other  and 
from  constants  in 

Now,  S  =  S' ,  Api(t,  c),  N(m),  and  therefore,  we  have  that  S  =  S' ,  Apl  (t,  c,n2,  ■  ■  ■ ,  n\P\),  N(m) 
for  distinct  variables  no, ... ,  n\p\ .  It  then  suffices  to  define  £  as  the  extension  of  £'  with  the  map¬ 
ping  (cb, . .  • ,  C|p|)/(n2,  • .  • ,  n|p|)  to  obtain  the  desired  result. 

Sending,  non-initial:  r  :  Api(x)  — »  3?i.  Api+i(x,  n),  N(m). 

r  has  then  the  form 


r:  Api(x,n,ni+i,...,n\p\)  — ♦  Apl(x,n,ni+i, . .  -,n\p\),  N) 

By  definition.  S'  =  S" ,  Afn(t )  and  S  =  S" ,  Ap,i+i  (t,  c),  N(to),  for  distinct  new  constants  c. 
We  then  have  that  S'  =  S" ,  A pj(t,  n,  n*+ 1, . . . ,  ft |p|).  Therefore  f  is  applicable  to  for 
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any  £'  satisfying  the  above  conditions.  In  particular,  this  holds  for  all  such  substitutions  £1.,  -  that 
mapntoc.  The  application  of  r  to  S,/[^,-]  produces  the  state  (S",  Api+i(t,  ft,  n,+i, . . . ,  n^),  N(m))[£L-], 
which  we  can  rewrite  as  (S" ,  Apl+i (t,  c,  iii+i, . . . ,  n|p|),  N(m))[^/-].  The  desired  result  fol¬ 
lows  then  immediately  once  we  observe  that  S'  =  S" ,  Apj+i(t,  c,  nj+i, . . . ,  n\p\),  N(to). 

2.  The  proof  of  the  reverse  direction  of  this  lemma  uses  the  techniques  we  just  deployed:  in  the  in¬ 
ductive  step,  we  proceed  by  case  distinction  on  the  form  of  the  last  transition  applied,  assuming 
that  the  result  holds  up  to  this  last  step.  The  reverse  of  the  substitution  manipulations  that  we 
witnessed  above  are  used  to  drop  the  added  arguments  of  the  role  state  predicates,  which  allows 
us  to  do  without  the  substitution.  □ 


In  the  following  we  will  start  from  a  regular  protocol  theory  1Z  and  apply  these  two  transformations  in 
sequence.  For  clarity  reasons,  we  will  generally  write  7Z  when  TZ  would  be  appropriate.  We  extend  this 
convention  to  roles  and  states. 

The  following  corollary  chains  the  above  results  together.  It  also  considers  protocols  augmented  with 
the  standard  intruder  theory  X.  It  must  be  observed  that  the  above  transformations  do  not  have  any  effect  on 
1. 

Corollary  4.3 

Let  TZ  be  a  regular  protocol  theory,  S o  the  initial  state,  and  S  a  state.  Let  moreover  £  be  an  arbitrary 
substitution  from  the  variables  in  S  to  distinct  unused  constants.  Then, 

1.  IfSo^jS,  then 

2.  If  So-^^jS^l  then  Sq^^  jS. 

Proof:  This  is  a  direct  consequence  of  Lemmas  4. 1  and  4.2  once  we  observe  that  the  intruder  rules  never 
access  the  role  state  predicates  of  a  principal.  Therefore,  the  elision  of  the  state  predicate  Ao  is  invisible  to 
the  intruder.  Similarly,  the  intruder  cannot  see  nor  take  advantage  of  the  fact  that  all  existentials  in  a  normal 
role  have  been  instantiated  up-front  since  they  are  safely  stored  in  A Pi(x,  n.j, . . . ,  n\p\)  until  they  are  made 
visible  in  a  message.  □ 


4.2  Translation 

We  are  now  in  a  position  to  translate  protocol  representations  expressed  in  the  multiset  rewriting  for¬ 
malisms  into  strands.  We  first  show  in  Section  4.2.1  how  to  map  a  general  protocol  theory  into  a  set  of 
parametric  strands,  and  then  relate  the  intruder  theory  directly  to  the  penetrators  strands  in  Section  4.2.2.  In 
Section  4.2.4,  we  prove  that  this  translation  preserve  transitions  after  discussing  how  states  are  handled  in 
Section  4.2.3. 


4.2.1  From  Protocol  Theories  to  Parametric  Strands 


To  each  normalized  role  specification  p,  we  associate  a  parametric  strand  r fP  of  the  following  form 


p(x,  y,  n) 


n  fresh,  7 r(x) 
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where  n  are  the  existential  variables  mentioned  in  the  first  rule  fp i  of  this  role,  tt(x)  are  the  persistent 
predicates  accessed  in  this  rule,  and  y  are  the  other  variables  appearing  in  the  role  (x.  y.  n  appear  therefore 
in  its  last  role  state  predicate). 

Next,  we  associate  a  parametric  node  Vf  t  with  each  rule  fPj.  The  embedded  message  is  the  message 
appearing  in  the  antecedent  or  the  consequent  of  the  rule,  the  distinction  being  accounted  for  by  the  asso¬ 
ciated  action.  More  precisely,  we  have  the  following  translation  (where  we  have  omitted  the  argument  of 
the  state  predicates,  the  indication  of  the  variables  occurring  in  the  message,  persistent  information,  and  the 
existential  quantifiers  appearing  in  the  role  generation  rule): 


rA Pi  — »  Api+i,N(m)n  =  +m 
rApj,  N(m)  — >  Api+i”1  =  —to 

where  r_n  is  our  translation  function. 

Finally,  we  set  the  backbone  of  this  parametric  strand  according  to  the  order  of  the  indices  of  the  nodes 
(and  rules): 

=>  Vf.  iff  j  =  i  +  1. 

In  this  way,  we  are  identifying  the  role  state  predicates  of  the  transition  system  specification  with  the  =>- 
edges  constituting  the  backbone  of  the  corresponding  parametric  strand.  Notice  that  the  well-founded  or¬ 
dering  over  role  state  predicates  is  mapped  onto  the  acyclicity  of  the  =4>-arrows  of  the  strand  constructions. 

This  completes  our  translation  as  far  as  roles,  and  therefore  protocols,  are  concerned.  Applying  it  to 
the  Needham-Schroeder  protocol  yields  exactly  the  parametric  strand  specification  of  Figure  4  presented 
in  Section  3.  Given  a  set  of  roles  1Z  in  the  transition  system  notation,  we  indicate  the  corresponding  set  of 
parametric  strands  as  rlZ~'.  We  will  give  correctness  results  at  the  end  of  this  section  after  showing  how  to 
translate  global  states. 


4.2.2  From  Intruder  Theory  to  Penetrator  Strands 

The  introduction  of  the  alternate  intruder  theory  X'  in  Section  2.4  enables  a  trivial  mapping  to  penetrator 
strands:  we  simply  map  every  intruder  rule  to  the  corresponding  penetrator  strand,  with  the  exception  of 
rec'  and  snd/,  which  do  not  have  any  correspondent.  In  symbols: 


rrec'(TO)n 

rdcmp  (mi, TO2)n 
rdecr,(?n,  fc)n 
rnnc,(?r)_l 
rdup(TO)n 


none  rsnd,(?n)_l 

S  (toi  ,  TO2)  rcmp,(TOi,  TO2)-1 
D(m,k)  rencrl(m,k)~' 

N(n)  rpers,(?n)~l 

T(m)  rdel(?n)n 


none 

C  (toi  ,  to2) 
E(m,  k) 

M  (to) 
F(m ) 


where  we  have  equipped  the  intruder  rules  with  arguments  in  the  obvious  way.  We  also  need  to  map  the 
initial  intruder  knowledge  Jo  to  a  set  Po  of  messages  initially  known  to  the  intruder,  to  be  processed  by  the 
penetrator  strand  M’\  rI on  =  {m  :  l(?n)  €  Jo}-  Every  access  to  a  message  l(?n)  in  Jo  will  be  translated 
to  an  application  of  the  penetrator  strand  M'(m). 


4.2.3  Relating  States  and  Configurations 

In  order  to  show  that  a  transition  system  specification  and  its  strand  translation  behave  in  the  same  way,  we 
need  to  relate  states  and  configurations.  We  do  not  need  to  give  an  exact  mapping,  since  a  configuration 
embeds  a  bundle  expressing  the  execution  up  to  the  current  point  in  fine  detail.  A  state  is  instead  a  much 
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simpler  construction  that  does  not  contain  any  information  about  how  it  has  been  reached.  Therefore,  we 
will  consider  some  properties  that  a  configuration  should  have  to  be  related  to  a  state. 

We  say  that  a  state  S  =  (II,  A,  N(m ),  I(m'))  is  compatible  with  a  strand  configuration  (a,  cr**)  rela¬ 
tive  to  a  (regular,  but  not  necessarily  normal)  protocol  theory  1Z ,  written  S  (cr,  cr**),  if  the  following 
conditions  hold: 

•  Fr(er)  =  {fh,  m'}. 

•  Let  A pi(tp,  cp)  in  A  be  the  instantiation  of  the  i-th  role  state  predicate  of  a  role  p  in  TZ  with  terms  tp 
and  fresh  nonces  cp.  Then, 

-  < 7 **  contains  a  strand  sp(cp ,  tp),  obtained  by  instantiating  the  strand  sp  =  rpn  with  terms  tp  and 
new  constants  cp. 

-  a  contains  an  initial  prefix  of  sp(t )  whose  last  node  has  index  i. 

Moreover  every  non-penetrator  strand  in  ( a ,  a: )  is  obtained  in  this  way. 

•  Every  instance  of  a  penetrator  strand  in  (cr,  cr'')  is  completely  contained  in  cr. 

Intuitively,  we  want  the  state  and  the  configuration  to  mention  the  same  nonces,  to  have  the  same  mes¬ 
sages  in  transit  (including  the  data  currently  processed  by  the  intruder),  to  be  executing  corresponding  role 
instances  and  have  them  be  stopped  at  the  same  point. 

4.2.4  Transition  to  Move  Sequences 

Given  these  definitions,  we  can  state  the  correctness  result  for  our  translation  of  transition  systems  into 
strand  constructions.  We  shall  start  by  limiting  our  attention  to  normal  protocol  theories  together  with  the 
modified  intruder  theory  introduced  in  Section  2.4. 

Lemma  4.4 

Let  1Z  be  a  normal  protocol  theory,  I o  some  initial  intruder  knowledge,  and  rJon  its  strand  translation, 
if  n,/0 is  a  normal  multiset  rewriting  transition  sequence  over  1’ ,  TZ  from  the  empty  state  to 

state  S,  then  there  is  a  configuration  (cr,  cr**)  and  a  sequence  of  moves  6  such  that 

('> V(r-Z0-'),rTC-'(C7’ a ^ 

is  a  strand  transition  sequence  from  the  empty  configuration  (•,  •)  to  (cr,  cr**),  and  S  (cr,  cr**),  i.e.  S  is 
compatible  with  (cr,  cr**). 

Proof:  The  proof  proceeds  by  induction  on  r.  The  base  case  is  trivial.  The  inductive  step  does  a  case 
analysis  on  the  last  rule  applied  in  f.  Intruder  rules  from  I'  are  directly  emulated  by  the  corresponding 
penetrator  strands,  as  defined  in  Section  4.2.2.  The  use  of  protocol  rule  rpi  is  emulated  by  a  move  involving 
the  corresponding  node  in  rpn.  For  each  of  these  possibilities,  we  show  that  the  corresponding  move  in  the 
strand  world  is  possible,  and  that  it  preserves  the  compatibility  relation. 

We  omit  formalizing  this  proof  as  it  relies  on  exactly  the  same  techniques  as  the  proofs  of  previous 
results.  □ 

We  can  now  extend  this  result  to  any  regular  (not  necessarily  normal)  theory  together  with  the  standard 
intruder  model.  We  have  the  following  theorem: 
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Theorem  4.5 

Let  1Z  a  regular  protocol  theory  and  I o  be  some  initial  intruder  knowledge.  For  every  regular  multiset 
rewriting  transition  sequence  II,  Iq— there  is  a  configuration  (a,  a$)  and  a  sequence  of  moves  o 
such  that 

('>  ')h  >yp(rion).rlZn  (cr’ 

is  a  strand  transition  sequence  from  the  empty  configuration  (•,  •)  to  (a,  a^),  and  S  (<7,  cr^). 

Proof:  This  is  a  simple  corollary  of  the  above  lemma  mediated  by  an  application  of  Lemma  4. 1  to  move 
between  regular  and  normal  protocol  theories,  and  Property  2.2  reconcile  using  the  standard  vs.  the  modified 
intruder  theory.  □ 

Observe  that  we  cannot  further  relax  the  statement  of  this  theorem  to  consider  arbitrary  (i.e.  non-regular) 
protocol  theories  as  regularization  does  not  preserve  transition  sequences. 

5  From  Strands  to  Multisets 

We  will  now  show  how  to  translate  a  set  of  parametric  strands  into  a  set  of  multiset  rewrite  rules  that 
preserve  multistep  transitions.  To  this  end,  we  rely  on  relatively  standard  techniques  to  map  process-based 
representations  of  security  protocols  to  state-based  descriptions  [3].  However,  we  shall  first  address  a  slight 
mismatch  between  the  two  formalisms  (Section  5.1).  This  technical  adjustment  of  our  definition  of  strands 
will  produce  precisely  the  regular  role  transition  rules  we  originally  defined  in  Section  2.  The  translation 
itself  and  its  proof  of  correctness  are  then  rather  straightforward  (Section  5.2). 

5.1  Decorated  Strands 

In  the  previous  section,  we  have  observed  and  taken  advantage  of  the  fact  that  there  is  a  close  affinity 
between  the  rules  in  the  transition  system  specification  of  a  role  and  the  nodes  in  a  parametric  strand.  More 
precisely,  a  node  together  with  the  outgoing  or  incoming  — >-edge  and  an  indication  of  what  to  do  next  cor¬ 
responds  to  a  transition.  In  transition  systems,  “what  to  do  next”is  specified  through  the  role  state  predicates 
A pi\  in  strand  constructions,  by  means  of  the  =>-edges.  Therefore,  using  the  same  intuition  as  in  Section  4, 
we  will  translate  =>-edges  to  state  predicates.  We  need  to  equip  these  predicates  with  the  appropriate  ar¬ 
guments  (while  we  were  able  to  simply  drop  them  in  the  inverse  translation).  This  method  is  relatively 
standard  when  mapping  process-based  representations  of  security  protocols  to  state-based  descriptions  [3], 
Before  describing  how  to  do  so,  we  will  address  two  other  minor  syntactic  discrepancies:  the  absence 
of  an  (explicit)  strand  equivalent  of  the  role  generation  rule  Tt{x)  — ►  Apo(x),  7t(x),  and  the  fact  that,  in 
the  transition  system  specification  of  a  role,  there  is  a  final  state  predicate  that  lingers  in  the  global  state  no 
matter  what  other  transitions  take  place. 

Role  Generation  transition:  We  add  a  dummy  initial  node,  say  T,  to  every  strand,  with  no  incoming  or 
outgoing  — >-edges,  and  one  outgoing  =4>-edge  to  the  original  first  node  of  the  strand. 

Final  state:  Dually,  we  alter  the  definition  of  strands  to  contain  a  final  node,  say  _L,  again  without  any 
incoming  or  outgoing  — >-edge,  and  with  one  incoming  =>-arrow  from  the  original  last  node  of  the 
strand. 

This  corresponds  to  redefining  strands  as  strings  drawn  from  the  language  T(±A4)*_L,  rather  than  just 
(±A4 )*.  Notice  that  now  every  (proper)  event  has  both  a  predecessor  and  a  successor  =>-edge. 
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Figure  8.  Extended  Strand  Specification  of  the  Needham-Schroeder  Protocol 


With  the  addition  of  these  auxiliary  nodes,  we  can  label  each  =4>-arrow  in  a  strand  s  with  parameters 
xs .  ns  (ns  marked  fresh),  in  symbols, 

p(xs,ns)  :  ns  fresh,  tv(xs) 

and  a  predicate  constant  A Sj  with  progressive  indices  i.  In  the  case  of  parametric  strands,  we  equip  these 
labels  with  arguments  drawn  from  its  set  of  parameters  as  follows: 

Initial  arrow:  T  =>■  v 

This  is  the  predicate  Aso  labeling  the  =^-edge  that  links  the  added  initial  node  T  to  the  first  node  of 
the  original  strand.  The  arguments  of  Aso  will  be  xs,  the  persistent  information  used  by  the  strand. 

Successor  arrow  to  a  positive  node: 

A  si  i_x)  , 

. . .  +m(x,  n)  . . . 

Let  A Si(x)  be  the  label  of  the  incoming  =>-edge  of  a  positive  node  v  =  +m(x,n),  where  m 
mentions  known  variables  among  x  and  unused  nonces  n  among  ns.  Then  the  outgoing  =>-arrow 
of  v  will  have  label  ASj+i  (x,  n). 


Successor  arrow  to  a  negative  node: 


-m(x,  y) 
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Let  A si(x)  be  the  label  of  the  incoming  =^-edge  of  a  positive  node  v  =  —m(x,y),  where  m 
mentions  known  variables  among  x,  and  unseen  data  y  (for  examples  nonces  created  by  another 
party).  Then,  the  outgoing  =>-arrow  of  n  will  have  label  As,+i  {x,  y). 

Given  a  parametric  strand  s,  we  denote  the  result  of  applying  these  transformations  as  s.  If  S  is  a  set  of 
parametric  strands  specifying  a  protocol,  we  write  S  for  the  transformed  set.  Applying  this  transformation 
to  the  Needham-Schroeder  protocol  yields  the  enhanced  strand  specification  in  Figure  8,  where  the  additions 
have  been  grayed  out. 

Since  we  have  changed  the  syntax  of  a  parametric  strand,  we  need  to  upgrade  its  dynamics,  originally 
presented  in  Section  2.  First,  an  obvious  alteration  to  the  instantiation  of  a  parametric  strand:  we  apply  the 
substitution  to  the  labels  of  the  =>-edges  as  well  as  to  the  messages  embedded  in  the  nodes.  We  carry  on 
this  change  to  the  resulting  bundles  and  configurations:  every  =4>-edge  between  two  nodes  v\  and  v 2  now 
carries  a  label  A si(t ).  We  indicate  this  as  V\  V2  (or  with  its  vertical  equivalent).  Notice  that  we  erased 
this  information  in  the  reverse  translation.  Given  a  bundle  er  and  a  configuration  (a,  a$)  relative  to  a  set  of 
parametric  strands  5,  we  write  a  and  Id,  a* )  for  the  corresponding  entities  relative  to  S. 

The  definition  of  one-step  transition,  in  symbols  (di,  dl)i-?->-g(d2,  d^),  changes  as  follows: 

Extension  of  an  existing  strand:  We  proceed  exactly  as  in  Section  2,  except  for  the  fact  that  situations  So 
and  Ro  in  Section  3.3  do  not  apply. 

Installation  of  a  new  strand: 

We  select  a  parametric  strand  p  from  S,  instantiate  it  with  a  substitution  £  for  its  fresh  variables  and 
add  the  resulting  strand  p[£]  to  cr\.  This  corresponds  to  upgrading  case  Cf  in  Section  3.3  as  outlined 
in  the  following  figure.  We  do  not  formalize  this  transformation  (call  it  Cf')  it  in  full  detail  since  it 
should  be  obvious  how  to  obtain  it. 


Transition  Ci  is  consequently  upgraded  to  C/  described  in  the  following  figure.  Notice  that  we  add 
the  first  node,  T,  of  p[£,  9]  to  er2 


As  in  the  original  case,  multistep  transitions  are  obtained  by  taking  the  reflexive  and  transitive  closure  of 
the  above  judgment. 

This  transformation  is  sound  and  complete  with  respect  to  our  original  system. 

Lemma  5.1  Let  S  be  a  set  of  parametric  strands,  and  (a  1,  crj)  and  (02,  cl)  two  configurations  on  it.  Then, 
(<7i,ct5)i-^*s(<72,4)  if  and  only  if  (cti,  d[)\-^*g(a2,  d\) 

where  0  is  obtained  from  o  by  extending  the  given  transformation  to  traces. 
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Proof:  In  the  forward  direction,  we  add  the  labels  as  from  the  definition  (they  do  not  constrain  the  con¬ 
struction  in  any  way);  every  use  of  transition  Cf  that  introduces  a  new  strand  is  mapped  to  C/,  which  also 
installs  the  node  T.  In  the  reverse  direction,  we  simply  forget  about  labels  and  extra  nodes.  Formally,  both 
directions  require  a  simple  structural  induction.  □ 


5.2  Translation 

Given  the  above  definitions,  we  are  in  a  position  to  propose  an  transition-preserving  translation  that  maps 
strand  representations  of  security  protocols  to  the  multiset  rewriting  formalism.  We  will  proceed  in  stages: 
in  Section  5.2.1  we  concentrate  on  parametric  strands,  in  Section  5.2.2  we  relate  the  intruder  models,  in 
Section  5.2.3  we  extract  a  notion  of  state  from  a  configuration,  and  finally  in  Section  5.2.4  we  prove  the 
correctness  of  our  translation. 

5.2.1  From  Parametric  Strands  to  Roles 

We  now  present  a  translation  of  parametric  strands  to  the  coordinated  sets  of  transition  rules  representing 
a  role.  Each  node  is  mapped  to  a  rule,  the  label  of  its  incoming  and  outgoing  =>-edge  will  be  the  state 
predicates  in  the  antecedent  and  consequent,  respectively,  and  the  network  message  will  be  the  message  em¬ 
bedded  in  the  node,  its  polarity  dictating  on  which  side  of  the  arrow  it  should  be  appear.  More  formally,  we 
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have  the  translation  displayed  in  Figure  9,  where  the  parameters  of  the  added  state  predicates  are  classified 
as  in  the  above  definition. 

Given  a  set  of  (decorated)  parametric  strands  S,  we  write  r5n  for  the  set  of  protocol  rules  resulting 
from  this  transformation.  Observe  that  it  yields  regular  rules.  Applying  this  translation  to  the  enhanced 
parametric  strands  representing  the  Needham-Schroeder  protocol  in  Figure  8  produces  exactly  the  original 
transition  system  specification  given  in  Figure  1 . 


5.2.2  From  Penetrator  Strands  to  Intruder  Theory 

The  translation  of  the  penetrator  strands  V(Pq)  in  Figure  7  is  essentially  the  inverse  of  the  mapping  dis¬ 
cussed  in  Section  4.2.2.  Our  target  intruder  model,  in  the  multiset  rewriting  world,  is  I' . 


=  dcmp,(mi,m2) 
rD(m,k)~^  =  deer  '(jn,k) 
rN(n)n  =  nnc'(n) 
rT(m)~'  =  dup(m) 
rM'{m)~[  =  (see  below) 


(7(mi,m2)_1  =  cmp'(mi,  m2) 
rE(m,k)~'  =  encr  '(m,k) 
rM(m)n  =  pers'(m) 
rF(m)~l  =  del(rn) 


where  we  have  again  equipped  the  intruder  transition  rules  with  the  obvious  arguments. 

Notice  that  no  penetrator  strand  is  made  to  correspond  to  rules  rec'  or  sud'.  When  translating  transition 
sequences  from  the  strand  world  to  the  transition  system  setting,  we  will  insert  these  rules  whenever  a 
message  sent  by  a  principal’s  strand  is  received  by  a  penetrator  strand,  and  vice-versa,  respectively.  We 
map  I  \)  to  a  multiset  Jo  of  messages  initially  known  to  the  intruder  in  the  multiset  rewriting  framework: 
rP0n  =  £l(m)  :  m  £  PqS-  Uses  of  M'(m )  with  m  £  Pq  are  translated  to  accesses  to  l(?n)  £  rPo~', 
possibly  preceded  by  an  application  of  rule  dup  if  M'(m)  is  accessed  more  than  once. 


5.2.3  From  Configurations  to  States 

Before  we  can  show  that  the  translation  we  just  outlined  preserves  transition  sequences,  we  need  to  extract 
a  state  from  a  configuration  and  show  that  steps  between  configurations  are  mapped  to  steps  between  the 
corresponding  states. 

Let  S  be  a  set  of  parametric  strands,  r<Sn  its  translation  as  a  set  of  transition  rules,  and  (a,  rr:  )  a  con¬ 
figuration  over  S ,  P  ( P{) )  where  all  penetrator  strands  have  been  completed.  We  define  the  state  associated 
with  (a,  <7^),  written  as  the  state  (II,  A ,  N ,  I)  obtained  as  follows,  where  we  write  j  for  the 

multiset  equivalent  of  the  usual  set  notation  {...}: 

•  N  =  £l\!(?7i)  :  v  £  Fr((j),  v  is  not  on  a  penetrator  strand,  and  v  has  label  +m  j. 

•  I  =  (l(?n)  :  v  £  Fr(fj),  v  is  on  a  penetrator  strand, and  v  has  label  +m$. 

•  A  =  (A si(t)  :  Si-iA^P Si  £  \  d  and  Sj_i  £  Fr(er)j. 

Intuitively,  we  collect  the  messages  in  transit  coming  from  honest  principal’s  strands  in  AT,  the  current 
knowledge  of  the  intruder  in  J,  and  the  labels  of  the  =>-edges  at  the  boundary  between  rf '  and  d  as  the 
multiset  of  role  state  predicates  A. 


5.2.4  From  Move  to  Transition  Sequences 

Then,  sequences  of  moves  in  the  strand  world  and  their  translation  as  transition  system  steps  are  related  as 
follows: 
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Theorem  5.2  Let  Pq  be  some  initial  penetrator  knowledge,  and  rPo~'  its  multiset  translation  as  defined  in 
Section  5.2.2.  Let  (<7i,<rJ)  and  (02,02)  be  two  configurations  on  the  penetrator  strands  V(Pf)  and  a  set 
of  parametric  strands  S  such  that  all  penetrator  strands  have  been  completed.  For  every  multistep  strand 
transition 

(o-i,ctJ)i-^p(p0)>s(o-2,o-|), 

and  every  /q  C  rPon,  there  exists  a  regular  multiset  transition  sequence  f  such  that 


Pon,  Ss(dud{)^*  r,n%(ir2,  a*),  If 


Proof:  The  proof  of  this  result  proceeds  by  induction  on  the  structure  of  o.  The  only  non-obvious  aspect  is 
that,  as  observed  in  Section  5.2.2,  we  need  to  insert  applications  of  the  rule  rec'  when  processing  a  message 
that  flows  from  an  honest  principal’s  to  a  penetrator  strands.  We  add  uses  of  snd/  in  the  dual  case.  □ 


Notice  that  we  do  not  need  to  start  from  the  empty  configuration. 

The  mapping  from  strands  to  multiset  rewriting  we  have  just  finished  outlining,  and  the  translation  from 
multiset  rewriting  to  strand  constructions  described  in  Section  4  are  inverse  of  each  other.  We  leave  the 
proof  of  this  fact  to  the  interested  reader. 


6  Related  Work 


Differences  in  models  for  distributed  system  have  captivated  the  curiosity  of  researchers  for  over  two 
decades.  It  was  observed  that  they  tend  to  fall  into  two  paradigms:  state-based  languages  such  as  Petri 
nets  and  multiset  rewriting  cleanly  separate  the  factual  description  of  the  world  fas  a  marking  or  a  state, 
resp.)  and  the  transformations  that  modify  it  (as  transitions  or  rules,  resp.);  process-based  languages  such 
as  the  various  process  algebras  and  here  strand  spaces  blur  the  distinction  in  favor  of  the  self-transforming 
notion  of  a  process.  An  early  attempt  to  provide  a  Petri  net  semantics  to  CCS  can  be  found  in  [12],  while  a 
reverse  mapping  first  appeared  in  [4].  First-order  formalisms  were  considered  only  several  years  later  in  the 
classical  work  of  Berry  and  Boudol  [2],  whose  state-based  formalism,  however,  is  in  many  ways  closer  to 
a  process  algebra  than  to  multiset  rewriting.  Most  subsequent  research  on  the  subject  has  been  semantic  in 
nature  [30]  or  has  investigated  specialized  sublanguages  [6,  18].  We  were  unable  to  take  direct  advantage 
of  these  and  other  papers  in  the  literature  in  our  attempt  to  define  simple  syntactic  translations  between 
state-based  and  process-based  languages  that  could  be  instantiated  to  the  security  setting  described  here. 

To  the  best  of  our  knowledge,  the  first  investigation  of  the  relationship  among  specification  languages  for 
security  protocols  appeared  in  [9].  The  present  paper  completes  that  work  with  a  layer  of  detail  previously 
omitted  for  editorial  reason  and  by  connecting  it  to  the  body  of  research  dedicated  to  relating  languages 
for  distributed  systems,  cryptographic  protocols  in  particular.  As  observed  in  the  introduction,  numerous 
authors  have  explored  the  problem  of  connecting  the  numerous  languages  for  security  protocol  analysis 
proposed  in  recent  years. 

The  work  of  Crazzolara  and  Winskel  [11]  bears  clear  similarities  to  the  present  investigation:  they  start 
with  SPL,  a  simple  process-oriented  language  akin  to  the  spi-calculus  [1]  and  map  it  to  several  other  for¬ 
malisms,  which  include  a  form  of  contextual  Petri  nets,  strand  spaces,  and  Paulson’s  inductive  method  [29], 
Once  a  few  idiosyncracies  have  been  ironed  out,  the  relationship  to  strand  spaces  is  relatively  simple  as 
both  have  a  process-based  semantics.  The  translation  to  Petri  nets,  on  the  other  hand,  is  closely  related  to 
our  mapping  of  strand  spaces  to  multiset  rewriting  in  Section  5  although  it  does  not  go  into  the  same  level 
of  detail.  The  reverse  mapping  is  not  discussed. 

An  abstract  investigation  of  the  relationship  between  state-based  and  process-based  specification  lan¬ 
guages,  with  particular  emphasis  on  formalisms  for  expressing  security  protocols,  is  initiated  in  [3],  which 
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is  a  preludes  to  general  results  linking  the  two  paradigms.  This  work  is  directly  inspired  by  recent  research 
which  places  linear  logic  at  the  crossroad  between  the  two  paradigms  [8,  27]. 

Additional  cross-language  investigations  are  found  in  [21],  which  notes  similarities  between  strand 
spaces  and  multi-agent  systems  and  proposes  translations  in  both  directions,  as  well  as  extensions  to  the 
strands  space  formalism.  In  [22],  Heather  unveils  strong  links  between  strand  spaces  and  rank  functions. 
In  [24],  Meadows  surveys  these  two  approaches  and  several  more  for  their  specific  use  of  invariants.  A 
different  target  is  considered  in  [32],  which  uses  strand  spaces  to  define  a  semantics  for  BAN-like  log¬ 
ics.  Different  yet  is  [19],  which  adapts  strand  spaces  to  relate  the  concrete  cryptography  found  in  protocol 
implementations  and  its  abstraction  in  the  Dolev-Yao  model. 

Following  [9],  several  authors  have  made  use  of  a  dynamic  semantics  for  strand  space  inspired  to  our 
parametric  strands.  Millen  and  Shmatikov  [26]  base  their  innovative  constraint-solving  analysis  method  for 
cryptographic  protocols  on  a  form  of  parametric  strand  without  prescriptive  freshness.  The  MITRE  group, 
which  pioneered  strand  spaces,  embraced  the  related  notion  of  schematic  strands  in  [19].  A  interpretation 
of  parametric  strand  in  linear  logic  was  given  in  [8],  Further  variants  on  the  notion  of  parametric  strands 
also  appeared  in  [11,  17] 

All  of  the  above  theoretical  investigations  allow  researchers  to  understand  precisely  how  their  results  are 
related,  often  enabling  a  direct  transfer  of  properties  such  as  secrecy  and  many  forms  of  authentication  as 
most  of  these  formalisms  ultimately  rely  on  a  trace-based  semantics.  This  observation  was  put  into  practice 
in  the  CAPSL  Intermediate  Language  (CIL  —  another  close  relative  of  multiset  rewriting)  [14]  and  the 
numerous  “connectors” translating  CIL  specifications  to  and  from  other  languages  and  tools  [5,  13,  25], 

7  Conclusions  and  Future  Work 

We  have  revised  the  formal  connection  between  multiset  rewriting  [10,  16]  and  strand  constructions  [33, 
31]  previously  outlined  in  [9].  In  particular,  we  situated  it  relative  to  the  recent  body  of  work  aimed  at 
relating  languages  for  describing  security  protocols.  The  formalization  required  a  number  of  unexpected 
adjustments  to  both  frameworks.  In  particular,  we  equipped  strands  with  a  dynamic  dimension  by  introduc¬ 
ing  a  notion  of  transition  that  allows  growing  bundles  from  a  set  of  parametric  strands.  This  enabled  us  to 
relate  the  distinct  notions  of  traces  inherent  to  these  formalisms:  bundles  and  multiset  rewrite  sequences. 

This  work  did  not  attempt  any  connection  between  the  various  verification  methodologies  that  have  been 
successfully  used  in  conjunction  with  multiset  rewriting  and  strand  spaces  (or  closely  related  languages). 
There  are  two  reasons  for  this.  First  the  multiset  rewriting  formalism  was  designed  to  be  independent  from 
any  particular  analysis  technique,  and  indeed  a  number  of  proposals  have  been  successfully  applied  to  it. 
Second,  such  a  meta-theoretic  investigation  is  simply  beyond  the  scope  of  this  paper.  However,  it  should 
be  noted  that  the  results  here  can  be  directly  used  to  port  any  trace-based  property  established  for  one 
formalism  to  the  other.  This  includes  secrecy  and  most  forms  of  authentication. 
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A  Protocol  Signatures 

In  this  appendix,  we  give  a  formal  description  of  the  syntax  of  the  various  entities  used  in  this  paper.  We 
also  characterize  the  persistent  information  we  have  been  relying  upon  with  respect  to  this  language. 

A.l  Language 

First,  we  rigorously  define  the  language  of  terms  and  the  predicate  symbols  we  have  been  using  in  the 
body  of  this  paper  in  order  to  specify  a  protocol  in  the  multiset  notation.  It  is  meant  to  be  extensible  if  the 
need  arises,  therefore  it  should  not  be  considered  complete.  Clearly,  this  is  only  one  of  the  many  possible 
formalizations,  not  necessarily  the  best  one.  This  attempt  goes  along  the  lines  of  [16],  although  it  is  not 
identical  to  it. 
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Sorts 


We  first  declare  a  number  of  sorts  to  classify  the  various  entities  we  are  working  with. 


msg 

sort 

( Messages ) 

principal 

:  msg 

sort 

( Principals ) 

key 

:  msg 

sort 

(■ Keys ) 

nonce 

key 

sort 

( Nonces ) 

text 

:  msg 

sort 

(Data) 

We  rely  on  subsorting  for  simplicity  (written  ‘i:”).  Since  nonces  are  often  used  as  session  keys,  we 
declare  nonce  to  be  a  subsort  of  key.  By  transitivity,  it  is  also  a  subsort  of  msg. 

We  write  m  for  messages,  k  for  keys,  n  for  nonces,  t  for  texts,  and  a,  b,  . . .  for  principal  names. 
We  use  the  corresponding  capital  letters  for  variables  of  the  same  sorts.  We  generally  indicate  the 
owner(s)  of  a  key  with  a  subscript.  For  example,  the  public  key  of  a  could  be  ka,  a  shared  key  between 
a  and  b  could  be  indicated  as  kab .  We  sometimes  write  for  the  inverse  of  key  ka. 

Whenever  the  effect  of  the  protocol  is  to  transmit  information  that  is  not  generated  within  the  protocol 
itself  (e.g.  a  file  or  a  credit  card  number),  we  tag  it  with  sort  text.  This  is  slightly  more  precise  than 
classifying  it  as  a  generic  msg. 

Messages 

Complex  messages  themselves  are  constructed  from  simpler  messages  by  means  of  the  operations  of 
encryption  and  composition,  declared  below.  Other  operations,  e.g.  hashing,  are  declared  similarly  if 
the  need  arises. 

{_}_  :  msg  x  key  — >  msg  ( Encryption ) 

(_,  _)  :  msg  x  msg  — >  msg  ( Composition ) 

We  do  not  include  explicit  decomposition  and  decryption  operators  as  these  functionalities  are  achieved 
by  pattern  matching  on  terms  mentioning  the  above  constructs.  This  simplification  is  adequate  for 
our  modeling  purposes.  Furthermore,  it  avoids  the  introduction  of  any  non-trivial  equational  theory 
at  the  level  of  terms.  Observe  that  this  is  not  a  limitation  of  our  model,  but  a  simplification:  these  op¬ 
erations  could  be  included  as  primitives,  and  their  equational  theory  operationally  specified  by  means 
of  rewrite  rules. 

As  anticipated  in  Section  2,  we  often  work  with  parametric  messages,  written  m(x),  which  differ 
from  proper  messages  by  the  fact  that  some  submessages  can  be  variables  among  x  =  { x \ . . . . ,  xv}. 
Some  of  the  Xi  may  not  occur  in  m.  Instantiating  a  parametric  message  rn(x)  with  messages 
t  =  {ti, . . .  ,tv}  matching  (or  specializing)  the  sorts  of  x  is  written  m(t).  We  write  t/x  for  the 
corresponding  substitution,  call  it  S.  We  denote  the  application  of  a  substitution  6  to  a  parametric 
message  m  as  m[S], 

Network 

Information  broadcast  over  the  network  has  the  form  N(m),  where  N  is  declared  as  follows: 
l\l(_)  :  msg  — >  atom  (Message  in  transit) 

An  equivalent,  but  not  as  general,  specification  of  network  messages  establishes  a  distinct  predicate 
for  each  legal  message  class  that  can  be  exchanged  during  a  run  of  a  protocol. 
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Roles 


We  declare  the  sort  role  to  classify  role  names,  used,  for  example,  to  distinguish  the  initiator  and  the 
responder  of  the  Needham-Schroeder  protocols. 

role  :  sort  (Role) 

Api _)  :  principal  x  r*  — »  atom 

with  p  :  role,  l  £  L,  and  r  ::  msg 

The  predicates  t\pi{a,rh)  are  intended  to  hold  the  local  data  m  of  a  principal  a  in  role  p  during 
the  run  of  the  successive  steps  of  the  protocol.  Such  data  typically  includes  a’s  keys,  the  identity 
and  public/shared  keys  of  the  message  recipients  (other  principals  or  some  server),  nonces,  external 
messages,  etc. 

We  shall  assume  that  for  each  role  p,  there  are  finitely  many  state  predicates  A pi,  where  l  is  a  label  in 
a  partially  ordered  set  L.  In  most  cases,  the  indices  l  are  successive  numbers  (l  £  N  and  1  =  0...  lp). 
We  give  a  more  general  definition  to  accommodate  roles  that  can  take  conditional  or  non-deterministic 
actions. 

Intruder  knowledge 

The  predicate  symbol  I  is  used  to  hold  the  knowledge  of  the  intruder  in  a  distributed  way. 

I(_)  :  msg  — >  atom 

Initialization 

Finally,  we  have  a  number  of  predicates  intended  to  organize  the  static  information  known  to  and 
about  the  various  parties  in  a  protocol.  This  list  is  by  no  means  exhaustive. 

principal  — »  atom 
principal  — ►  atom 
principal  x  key  — >  atom 
principal  x  key  — >  atom 
principal  x  principal  x  key  — >  atom 
key  x  key  — ►  atom 
principal  x  text  — >  atom 

As  a  convention,  we  write  initialization  predicates  in  a  slanted  font  to  distinguish  them  from  other 
symbols.  The  information  they  hold  is  expected  not  to  change  during  the  execution  of  a  protocol. 

Pr  declares  the  known  principals.  It  is  actually  redundant  as  the  same  information  is  conveyed  by 
typing.  Foe  identifies  the  subset  of  the  principals  that  are  in  league  with  the  intruder  (this  could 
also  be  obtained  via  subsorting).  PubK  and  PrvK  are  intended  to  relate  a  principal  and  its  public 
and  private  keys,  respectively.  ShK  indicates  what  keys  are  shared  between  which  principals.  KeyP 
records  which  pairs  of  keys  are  inverse  of  each  other.  Finally,  Txt  contains  some  piece  of  text  that  a 
principal  may  know  before  any  run  of  the  protocol  takes  place  (and  wants  to  transmit  it). 

We  collect  these  declarations  in  a  signature  that  we  call  E.  We  generally  keep  E  implicit.  We  assume  that 
all  the  expressions  we  are  considering  are  well-typed  according  to  the  contents  of  E. 


rr  (-) 

Foe(-) 
PubK{_,  _) 
PrvK(_,  _) 
S/iK(_,_,_) 
KeyP(_,_) 
Txt(_.  _) 
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A.2  Persistent  Information 


We  discussed  how  to  specify  a  protocol  (given  a  signature  E)  in  the  body  of  this  paper  (Section  2.2).  We 
complete  this  presentation  by  making  more  precise  the  contents  of  the  initialization  theory  II. 

As  we  said,  some  information  is  given  prior  to  any  run  of  a  protocol,  and  does  not  change  during  its 
execution.  This  include  the  principals  that  are  allowed  to  take  part  into  it  including  the  dishonest  ones 
(we  may  assume  the  intruder  cannot  bribe  an  otherwise  honest  principal  during  the  execution),  their  keys 
unless  the  protocol  models  key  distribution,  the  identity  and  public  key  of  the  servers,  etc.  We  store  this 
persistent  information  as  a  set  of  ground  facts  that  we  call  II.  Given  the  declarations  in  the  previous  section, 
it  contains  some  number  of  facts  of  the  following  form: 

•  Pr(a).  •  PubK(a,ka ).  •  Txt(a,t). 

•  Foe(a).  •  PrvK(a,kf1). 

•  ShK(a,b,kab)-  •  KeyP(k,k~1). 

None  of  the  other  predicates  declared  in  the  previous  section  may  appear  in  II.  For  any  principals  a  and  b, 
and  keys  k  and  k',  we  make  the  following  assumptions  on  II: 

1.  if  PubK(a,  k)  £  II,  then  there  is  fc-1  such  that  PrvK(a,k~1)  £  U  and  KeyP(k,k~1)  £  II. 

2.  if  ShK(a,b,  k)  £  II,  then  ShK(b,a,k)  £  II  and  KeyP(k,k)  £  II. 

3.  if  KeyP(k,  k')  £  II,  then  KeyP(k' ,  k)  £  II. 

The  set  II  can  be  viewed  as  an  initialization  theory. 

B  Confi  gurations  vs.  Move  Sequences  in  Dynamic  Strands 

The  definition  of  execution  for  parametric  strands  given  in  Section  3  embeds  two  distinct  notions  of 
traces  for  strand  constructions.  On  the  one  hand,  configurations  give  a  precise  account  of  which  events  have 
taken  place,  abstracting  from  their  temporal  occurrence  order,  but  taking  into  consideration  their  depen¬ 
dencies  both  in  terms  of  the  ordering  of  steps  (captured  by  =>-edges)  and  message  transmission/reception 
(expressed  by  the  — ^-arrows).  On  the  other  hand,  the  move  sequence  o  that  labels  the  transition  arrow  also 
indicates  which  steps  have  taken  place,  but  imposes  a  linear  occurrence  order  on  them.  We  will  now  relate 
these  two  notions. 

B.l  From  Configurations  to  Move  Sequences 

Notice  that,  with  the  exception  of  Cf  and  Ci,  each  move  inserts  exactly  one  node  in  a  configuration. 
Moreover,  the  very  possibility  of  making  such  an  insertion  is  regulated  by  the  two  types  of  edges.  Therefore, 
we  can  think  of  a  bundle  as  specifying  a  partial  order  of  the  occurrence  of  individual  moves  (the  ordering 
relation  is  the  transitive  closure  of  the  union  of  =>  and  — >).  Instead,  a  move  sequence  linearizes  the  set 
of  moves  into  a  total  order.  In  general,  we  can  linearize  a  configuration  (a,  a **)  as  a  sequence  of  moves  in 
many  ways.  The  following  definition  imposes  constraints  on  the  form  of  acceptable  move  sequences. 

Given  a  configuration  (a,  o^)  with  er  =  (S,  =>,  — >)  and  o''  =  (5**,  =4^,  — >**),  we  define  a #)  as 
the  set  of  move  sequences  o  =  (or, . . . ,  on)  such  that,  for  i  =  1, ...  ,n: 
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(a)  n  =  ns°  +  ?rR°  +  ns  +  nR  +  nCf  +  nCi ,  where  ns°  and  nR°  are  respectively  the  number  of  initial 
sending  and  receiving  nodes  in  a,  ns  and  nR  are  the  number  of  non-initial  sending  and  receiving 
nodes  in  a  respectively,  nCf  is  the  total  number  of  strands  (possibly  only  partially  instantiated)  in 
ah  and  nCi  is  the  number  of  fully  instantiated  strands  among  these.  Moreover,  6 contains  exactly  nT 
move  of  each  type  r  above.  Observe  that  |S|  =  ns°  +  nR°  +  ns  +  nR. 


(b)  For  each  o,  =  (vi,  vf,  v?),  we  have  that  vt  £  S. 
Moreover,  if  oj  =  (vj,  vp ,  F|),  then  ^  Vj  for 
*  ¥=  3- 

(c)  If  Oi  =  (vi,  — ,  vf),  then  vt  is  initial  in  S,  and 
there  is  a  unique  index  j  <  i  such  that  Oj  = 

(vj,6j)andisi  =  isj[ej]. 

(d)  lioi  =  then  there  is  a  unique  index 

j  <  i  with  Oj  =  (fj,  such  that  Vj  ==> 

Vi  is  in  a  and  vf  =  Vj. 

(e)  Ifoj  =  then  there  is  a  unique  index 

j  <  i  with  Oj  =  (vj.  Vj,Vj)  such  that  Vj  — > 
v-i  in  (j  and  v?  =  Vi. 

(f)  If  Oi  =  (vi,  vf ,  vf),  then  vf  £  S &  and  there  are 
unique  indices  k  <  j  <  i  with  Ofc  =  (pk,£,k) 
and  Oj  =  {vj,6j)  such  that  pfj [£*.]  =  Vj  and 
there  is  an  index  l  such  that  pk [£*. ,  Oj]  =  vf  and 
Vi  — v?  in  ah 

(g)  If  Oi  =  (vi,  Oi),  then  there  a  unique  index  j  <  i 
such  that  Oj  =  {ph^.j)  and  Pol^j]  =  and 
there  is  a  fully  instantiated  strand  p  in  a-  such 
that  p  =  pJ  [£j,  0i\. 

(h)  If  Oi  =  (pz,£,i),  then  either  p*[£j]  is  a  partially 
instantiated  strand  in  ah  or  there  is  a  unique 
index  j  >  i  such  that  Oj  =  ( Vj,9j ),  and 
Po  [£*]  =  vj  land  [£j  i  Oi]  is  a  Mly  instantiated 
strand  in  a$). 


(b’)  For  each  v  £  S,  there  is  an  index  i  such  that 

Oi  =  {v,v?,vf). 


(c’)  For  every  initial  node  v  in  a,  there  is  a  unique 
index  i  such  that  Oi  =  (v,  — ,  vf). 


(d’)  For  every  non-initial  node  v  in  a  with  parent 
vp,  there  is  a  unique  index  i  such  that  Oi  = 

(e’)  For  every  receiving  node  v  in  a  with  sender 
vs,  there  is  a  unique  index  i  such  that  Oi  = 

(v,vp,~). 

(f’)  For  every  sending  node  v  in  cr  with  receiver 
vs,  there  is  a  unique  index  i  such  that  Oi  = 

(v,vp,vs). 


(gr)  For  every  fully  instantiated  strand  p  in  ah 
there  are  unique  indices  i  <  j  with  o-i  = 

(pz,Ci)  and  °j  =  (^j, Oj),  such  that  p  = 
P%,0j)  and  Vj  =  Pot€i]- 

(h’)  For  every  partially  instantiated  strand  p  in  ah 
there  is  a  unique  index  i  such  Oj  =  (p*,£i) 
and  p  =  p%]. 


The  left-hand  side  column  specifies  sufficient  and  mostly  internal  coherence  conditions  so  that  a  move  se¬ 
quence  belongs  to  0^aGt),  while  the  right-hand  side  column  gives  the  corresponding  necessary  conditions. 

Any  legal  move  sequence  6  from  (•,  •)  to  any  configuration  (cr,  a^)  is  an  element  of  0^aa #).  This  is 
formalized  in  the  following  completeness  result. 

Property  B.l 

Let  ( a,  a H)  be  a  configuration  over  a  set  S  of  parametric  strands  and  o  a  move  sequence  such  that 
('*  a 11  )•  Then  °  e 
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Proof: 

The  proof  proceeds  by  induction  on  the  length  of  the  move  sequence  o,  checking  that  each  element  in  it 
satisfies  the  above  definition. 

The  base  case,  where  o  =  •,  trivially  satisfies  the  property. 

Assume  then  that  (•,  ct11)  with  o  =  (oi,...,on)  €  and  that  (a,  er1*).  We 

will  then  show  that  for  every  such  move  on+i,  it  happens  that  (o,  ora+i)  G  0(<7i0.j).  We  proceed  by  cases. 

So:  Let  on+i  =  (v,  — ,  v").  We  need  to  examine  the  various  conditions  of  the  definition  of  0(a<7 n. 

(a)  By  induction  hypothesis  |  o\  =  h  =  hs°  +  nR°  +  ns  +  nR  +  nCf  +  nCi,  moreover  o  contains 
exactly  hT  moves  of  each  type  r,  and  the  constituents  of  (a,  are  related  to  these  numbers  as 
from  the  definition. 

Now,  n  =  | (o',  on+i)|  =  n  +  1.  For  r  ^  So,  the  number  of  moves  of  type  r  in  (o,  on+ 1)  does 
not  change,  so  that  nT  =  nT;  instead  ns°  =  hs°  +  1.  Moreover,  (a,  a^)  differs  from 
only  by  the  addition  of  a  single  initial  sending  node  (u)  to  the  bundle  part  of  the  configuration 
(the  definition  of  0(a  <7 is  not  directly  concerned  with  arrows).  This  entails  that  condition  (a) 
holds  for  (o,  on+i). 

Since  the  first  n  elements  of  (o,  on+ 1)  are  unchanged  with  respect  to  o,  the  induction  hypothesis 
allows  us  to  conclude  that  conditions  (b),  (c),  (d),  (e),  (f),  (g),  and  (h)  still  hold  for  these  elements. 
We  will  therefore  check  that  they  hold  also  for  on+ Since  this  move  has  type  So,  only  conditions 

(b) ,  (c),  and  (f)  are  applicable.  We  will  check  them  in  turn: 

(b)  By  definition  of  So  transition,  v  G  S.  Moreover,  since  v  is  new  in  S  (i.e.  v  G  S  but  v  0  S), 
there  is  clearly  no  index  i  <  n  such  that  o*  =  (vi,vp,vs)  such  that  i/j  =  v. 

(c)  Again  by  definition  of  So  transition,  //  is  the  initial  node  of  a  fully  instantiated  strand  p  in  crK 

Therefore,  by  condition  (g’)  on  o,  there  are  unique  indices  i  <  j  <  n  with  Oj  =  and 

Oj  =  (vj,0j),  such  that  p  =  pl[£i,0j]  and  vj  =  PoK*]-  I*1  particular,  v  =  i 'j[6j\  =  pb[t;i,0j\  = 
Po- 

(f)  By  definition  of  So  transition,  v"  G  \  S  and  it  lies  on  a  fully  instantiated  strand  p.  Again  by 
condition  (g’)  on  o,  there  are  unique  indices  i  <  j  <  n  with  o,  =  (p1,^)  and  Oj  =  {vj1  9j), 
such  that  p  =  9j\  and  Vj  =  Pol?*]-  ^  v"  has  index  l  in  p,  then  v"  =  p'j ,  9j\.  Moreover, 

again  by  definition  of  So,  we  have  that  v  — v"  is  in  aK 

Conditions  (b’),  (c’)>  (d’),  fe’).  (f’)>  (g’)  and  (h’)  specify  a  family  of  mappings  from  nodes  in  the 
bundle  part  and  strands  in  the  parametric  strand  space  part  of  the  configuration  to  moves.  By  induction 
hypothesis,  there  exist  such  mappings  from  to  6.  Since  {a,  er*)  and  (o,  o„+i)  can  be  seen 

as  extensions  of  (a,  a^)  and  o  respectively,  we  will  simply  extend  these  mappings  by  relating  the 
additions  to  the  configuration  and  the  new  element  on+\  of  the  move  sequence.  Because  the  added 
move  has  type  So,  only  conditions  (b’),  (c’)  and  ff’)  apply. 

(b’)  We  associate  the  index  n  +  1  to  the  added  node  v.  Again,  the  indices  the  other  nodes  in  S  are 
mapped  to  remain  the  same. 

(c’)  Again,  we  map  //  to  n  +  1  and  leave  the  rest  unchanged. 

(D  Ditto. 

S:  Let  on+ 1  =  (v-  v' ■  v").  The  proof  proceeds  as  in  the  previous  case,  except  that  we  need  to  examine 

conditions  (d)  and  (d’)  instead  of  (c)  and  (c’)-  Condition  (d’)  is  handled  similarly  to  the  other  primed 
cases  above.  We  will  develop  the  remaining  condition: 
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(d)  By  definition  of  S  transition,  v'  £  S  and  v'  =>  v  in  cr.  By  induction  hypothesis,  condition 
(b’),  there  is  a  unique  index  j  <  n  such  that  o3  =  (y' ,  vp,  D?). 

Ro:  Let  on+ 1  =  (v,  — ,  — ).  The  proof  proceeds  as  in  the  previous  cases,  except  that  we  need  to  examine 
conditions  (e)  and  (er).  The  latter  is  handled  like  the  other  primed  cases  above.  We  will  focus  on  (e): 

(e)  By  definition  of  Ro  transition,  v"  G  S  and  v"  — >  v  in  cr.  By  induction  hypothesis,  condition 
(b’),  there  is  a  unique  index  j  <  n  such  that  Oj  =  (y" ,  vp ,  £/?). 

R:  In  this  case,  on. |_i  =  (v,  v' ,  — ).  The  proof  proceeds  as  in  the  previous  cases,  and  we  have  examined 

all  the  relevant  subcases. 

Cf :  Let  on_|_i  =  {p,  £).  The  considerations  made  in  the  previous  cases  can  readily  be  extended  to  this 
situation.  Condition  (a)  is  treated  similarly,  the  remaining  non-primed  conditions  hold  identically  for 
the  elements  of  o,  and  the  primed  conditions  are  processed  as  above.  We  need  however  to  check  that 
condition  (h)  holds  for  on+ 1  (it  is  the  only  non-primed  condition  applicable  to  a  move  of  this  kind). 

(h)  This  condition  can  be  fulfilled  in  two  alternative  ways:  either  by  mapping  the  considered  move 
to  a  partially  instantiated  strand  in  the  configuration,  or  by  showing  that  it  is  connected  to  a 
subsequent  move  of  type  Ci.  We  must  clearly  adopt  the  first  option  and  associate  on_|_i  to  p[£] 
in  aK 


Ci:  Let  on+ 1  =  ( z/(J .  0).  The  verification  of  the  unprimed  conditions  proceeds  as  above:  in  particular  we 
can  assume  that  conditions  (b)  through  (h)  hold  for  the  elements  of  6.  We  are  then  left  with  checking 
that  (g)  holds  for  on+ 1  (no  other  unprimed  condition  applies). 

(g)  By  definition  of  Ci,  contains  a  partially  instantiated  strand  p  with  initial  node  vq.  By  induc¬ 
tion  hypothesis  and  condition  (h’)  on  p,  there  is  a  unique  index  j  <  n  such  that  Oj  =  {pi  ,£j) 
and  p  =  p]  [£j].  Clearly,  uq  =  Pg[£j]-  Moreover,  p[6\  =  pi[t;j,0\  is  a  fully  instantiated  strand  in 
aK 

The  verification  of  the  primed  conditions  is  more  subtle  than  in  the  previous  cases  since  moves  of 
type  Ci  have  the  unique  characteristic  of  not  simply  extending  a  configuration,  but  actually  replacing 
a  partially  instantiated  strand  p  with  a  ground  instance  p{9\.  Therefore,  we  not  only  need  to  map 
the  newly  inserted  strand  p[6\  to  some  index  (which  will  clearly  be  n  +  1),  but  also  to  upgrade  the 
conditions  associated  with  the  elided  p. 

By  condition  (h’)  on  p ,  there  exists  an  index  i  <  n  such  that  Oi  =  {p\Z,i)  and  p  =  p’[^].  Then, 
condition  (h)  applied  to  ot  in  o  because  p*[£j]  belonged  to  aK  We  must  verify  that  it  still  applies  in 
(o,  o„+i)  although  pl  [^j]  is  not  present  in  .  We  fall  back  to  the  second  alternative  in  the  definition 
of  (h):  n  +  1  is  an  index  greater  than  i  such  that  on+ 1  =  {vq,  9)  and,  by  construction,  v$  =  pl0[£,i]- 
Clearly,  this  index  is  unique  since  the  use  of  any  other  transition  of  type  Ci  would  have  instantiated 
Pi,  making  unavailable. 

This  concludes  the  proof  of  this  property.  Most  of  the  proofs  below  rely  on  similar  techniques.  Therefore, 
whenever  this  is  the  case,  we  will  only  present  proof  sketches  and  refer  the  reader  to  this  detailed  proof.  □ 

Moreover,  any  o  in  Oy  a #)  is  a  legal  move  sequence  from  (•,  •)  to  (cr,  a^),  as  expressed  by  the  following 
soundness  result. 
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Property  B.2 

Let  (cr,  a^)  be  a  configuration  over  a  set  S  of  parametric  strands,  then  for  each  o  £  the  multistep 

transition  (•,  •)l~2->s(cr’  a *0  is  well-defined. 

Proof:  We  proceed  by  induction  on  the  structure  of  the  configuration.  For  this  purpose,  we  need  to  define 
two  well-orderings,  both  denoted  with  -<,  one  over  parametric  strand  spaces,  and  the  other  over  configura¬ 
tions  themselves. 

Let  o\  and  be  two  parametric  strand  spaces.  We  say  that  a\  -<  cr\  if  either  of  the  following  condition 
holds: 

•  <j\  =  <j\  U  {p}  for  a  partially  instantiated  strand  p. 

•  cr\  =  <j\  —  {p}  U  {p[#]}  for  a  partially  instantiated  strand  p  in  o\  and  a  substitution  9  such  that  p[9\ 
is  fully  instantiated. 

•  there  is  a  parametric  strand  space  cr **  such  that  -<  <7**  and  cr**  -<  cr\. 

Let  (ui,  ctJ)  and  (<72,  cr^)  be  two  configurations.  We  say  that  (<j  1,  erf)  -<  (02,  crJ^)  if  either  of  the  following 
conditions  hold: 

•  (7i  is  a  proper  subgraph  of  a 2  and  a\  =<72; 

•  (7i  =  a 2  and  o[  -<  o\\ 

•  there  is  a  configuration  (cr,  cr**)  such  that  (cri,  cr{)  -<  (cr,  er**)  and  (er,  crS)  ^  (cr2,  o\)- 

It  is  easy  to  show  that  this  is  indeed  a  well-ordering.  Observe  that  its  minimum  is  the  empty  configuration 

(•-•)• 

In  the  base  case,  in  which  (a,  cr**)  is  (•,  •),  the  property  at  hand  holds  trivially  since  only  the  empty  move 
sequence  is  an  element  of  Op 

Let  then  assume  that  o  =  (01, . . . ,  o„+ 1)  £  0^aty  We  will  show  that  there  is  a  configuration  (<7,  cr**)  S 
(cr,  cr**)  such  that  (cr,  <r**)i-L!->s(cr,  cr**)  and  (01, . . . ,  on)  £  O^^ty  It  then  follows,  by  induction  hypothesis 
and  the  definition  of  multistep  transition,  that  (•,  •)l_£_>s(cr, 7**). 

The  determination  of  (tr,  tr**)  proceeds  by  cases  on  the  structure  of  on+  \ .  For  the  sake  of  conciseness, 
we  will  only  analyze  the  situation  in  which  o„+ 1  =  (v,  — ,  v"),  i.e.  it  is  intended  to  witness  a  transition  of 
type  S0. 

on+i  =  (v,—,  v "):  By  condition  (b)  of  the  definition  of  0^arTty  we  know  that  v  £  S.  By  condition  (c),  v 
has  no  predecessor  in  o.  By  condition  (f),  v"  £  S'**  \  S'  and  v  — >**  v" ,  from  which  we  deduce  that  v 
and  v"  are  a  sending  and  a  receiving  node,  respectively.  We  are  therefore  in  the  following  situation: 


Since  (cr,  cr**)  is  a  configuration,  the  process  of  removing  v  from  S  (but  not  from  S'**)  and  (u,  v")  from 
— >**  yields  another  configuration,  displayed  below.  Call  it  (<7,  cr*).  By  definition  of  -<,  we  have  that 

((7,(7**)  S  (cr,  cr**). 
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A  transition  of  type  So  with  v  as  the  sending  node  and  v"  as  the  receiving  node  is  then  enabled  in 
(a,  <r**).  The  corresponding  move  is  precisely  on+i,  and  the  resulting  transition  is  (a,  cr**).  Indeed  we 
have  that  (<x,  <7**)h^-»,s(c T,  0®). 

The  other  cases  are  treated  similarly.  □ 


B.2  From  Move  Sequences  to  Configurations 


If  o  describes  the  transition  from  (•,  •)  to  a  configuration  (a.  er**),  the  individual  moves  in  6 contain  enough 
information  to  playback  the  sequence  of  moves  and  exactly  reconstruct  (er,  er**).  This  is  done  as  follows. 

Given  a  sequence  of  moves  o  =  (oi, . . . ,  o{),  we  define  the  configuration  associated  with  o \  written 
{(To- crl),  as  the  triples  (Ss,  =>s,  — >s)  and  (St,  =>t,  — >1)  given  as  follows: 


(4. 


=  {p%,0j]  ■  (P%&)  G  o,(vj,9j)  G  o,  and  Vj  =  pj[&]} 
U  {p*[£i]  :  (p\  £i)  G  o  and  there  is  no  (vj,9j)  G  o 
such  that  Vj  =  pj  [£*]}. 


- 4=  {Wi^D  ■  Pi  Ivl)  G  o}- 

So  =  {Vi  ■  {Vi,vf,v?)  G  o}. 

J 


=  (=^5)|s-  =  go}. 

=  ( — 4)|sa  =  :  G  oand(n|,pj’,-)  G  o}. 


where  is  the  subrelation  of  R  that  only  contains  edges  with  extremes  in  S.  It  is  easy  to  prove  that,  in 
the  last  two  cases,  the  alternate  definitions  are  equivalent. 

Now,  if  o  labels  a  transition  from  (•,•)  to  some  configuration  (er,  er**),  then  (a3,at)  is  isomorphic  to 
(cr,  cr#).  We  have  the  following  expected  result. 


Property  B.3 

Let  (er,  er** )  be  a  configuration  and  o  a  move  sequence  such  that  (•,  0*4  Then,  (a3,  at)  is  a 

configuration  and  there  is  an  isomorphism  between  (a3,  at)  and  (a,  er**). 

Proof:  The  proof  proceeds  by  induction  on  the  length  of  o. 

If  o  =  •,  the  result  follows  immediately. 

If  the  move  sequence  has  the  form  (o,  o)  with  (•,  0**)  and  moreover  (a,  <7**)i-G^,5(cr,  0**),  the 

induction  hypothesis  allows  us  to  assume  that  (d3,  at)  and  (a,  a **)  are  isomorphic.  We  then  show  by  cases 
on  the  structure  of  the  move  6  that  this  isomorphism  is  preserved  by  the  extension  of  o  with  any  legal  move 
that  leads  to  (a,  cr**).  We  will  spare  the  reader  further  details  from  this  simple,  but  rather  tedious  proof.  □ 
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The  two  constructions  we  have  just  defined  are  essentially  inverse  of  each  other,  as  schematized  in 
Figure  10.  Given  a  configuration,  the  first  returns  the  set  of  all  the  move  sequences  that  produce  it.  Given 
a  move  sequence,  the  second  returns  the  resulting  configuration.  In  particular,  observe  that,  when  starting 
from  a  configuration,  chaining  these  transformations  yields  the  same  configuration.  However,  if  we  start 
from  a  move  sequence,  their  cascaded  application  will  return  the  set  of  all  sequences  that  construct  its  same 
target  configuration.  These  remarks  are  summarized  in  the  following  corollary  and  in  Figure  10. 

Corollary  B.4 

Let  (a,  <7^)  be  a  configuration  over  a  set  of  parametric  strands  S. 

1.  For  every  o  such  that  (•,  •)l-^s(cr7  we  have  that  o  £ 

2.  For  every  o  £  (as,  at)  is  isomorphic  to  (a,  a^). 

Proof:  The  first  statement  reduces  to  Property  B.l  after  observing  that  ^  =  0(r7M»')  since  (as,  at)  is 
isomorphic  to  (a,  a **).  The  second  part  is  a  consequence  of  Properties  B.2  and  B.3.  □ 

These  considerations  allow  us  to  extract  a  useful  notion  of  equivalence  between  move  sequences:  oj 
and  0*2  are  equivalent  if  they  produce  the  same  configuration,  which  can  be  tested  by  verifying  whether 
(a„1 ,  at  )  and  (a„2 ,  at  )  are  isomorphic.  The  equivalence  class  to  which  a  move  sequence  o  belongs  is 
therefore  Notice  also  that,  in  general,  symmetry  considerations  do  not  allow  selecting  a  unique 

element  of  as  ‘the’Tiormal  move  sequence  from  (•,  •)  to  a  configuration  (a,  a  **):  this  suggests  that 

(as,  at)  is  the  most  compact  representation  of  the  equivalence  class  0(a  a #)  of  o. 
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